[Pkg-puppet-devel] (forw) [Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset supplementary groups when it switches to a different user

Andrew Pollock apollock at debian.org
Thu Oct 15 21:16:42 UTC 2009 

On Thu, Oct 15, 2009 at 04:45:58PM -0400, Micah Anderson wrote:
> A CVE was obtained for this puppet issue, does anyone know if this issue
> could be backported to stable for a point release update?

Did you see Guiseppe's email?
 
> micah
> 
> 
> ----- Forwarded message from Giuseppe Iuculano <iuculano at debian.org> -----
> 
> Sender: secure-testing-team-bounces+micah=debian.org at lists.alioth.debian.org
> From: Giuseppe Iuculano <iuculano at debian.org>
> Reply-To: Giuseppe Iuculano <iuculano at debian.org>, 551073 at bugs.debian.org
> Subject: [Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset
> 	supplementary groups when it switches to a different user
> Date: Thu, 15 Oct 2009 14:46:35 +0200
> To: Debian Bug Tracking System <submit at bugs.debian.org>
> Resent-From: Giuseppe Iuculano <iuculano at debian.org>
> Resent-To: debian-bugs-dist at lists.debian.org
> Resent-CC: team at security.debian.org,
> 	secure-testing-team at lists.alioth.debian.org,
> 	Puppet Package Maintainers <pkg-puppet-devel at lists.alioth.debian.org>
> Resent-Date: Thu, 15 Oct 2009 13:12:02 +0000
> Resent-Message-ID: <handler.551073.B.12556108028185 at bugs.debian.org>
> Resent-Sender: Debian BTS <debbugs at rietz.debian.org>
> Resent-Date: Thu, 15 Oct 2009 13:12:05 +0000
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for puppet.
> 
> CVE-2009-3564[0]:
> | puppetmasterd in puppet 0.24.6 does not reset supplementary groups
> | when it switches to a different user, which might allow local users to
> | access restricted files.
> 
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable and oldstable. It
> does not warrant a DSA.
> 
> However it would be nice if this could get fixed via a regular point update[1].
> Please contact the release team for this.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3564
>     http://security-tracker.debian.net/tracker/CVE-2009-3564
> [1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
> 
> Cheers,
> Giuseppe
> 
> 
> ----- End forwarded message -----



> _______________________________________________
> Pkg-puppet-devel mailing list
> Pkg-puppet-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-puppet-devel

More information about the Pkg-puppet-devel mailing list