[Pkg-puppet-devel] (forw) [Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset supplementary groups when it switches to a different user

Micah Anderson micah at riseup.net
Fri Oct 16 14:33:24 UTC 2009 

* Andrew Pollock <apollock at debian.org> [2009-10-15 17:17-0400]:
> On Thu, Oct 15, 2009 at 04:45:58PM -0400, Micah Anderson wrote:
> > A CVE was obtained for this puppet issue, does anyone know if this issue
> > could be backported to stable for a point release update?
> 
> Did you see Guiseppe's email?

You mean the one I forwarded below? Odd, I did not see it on the
pkg-puppet-devel list, but only on the secure-testing-team list (hence
why I forwarded it). I see now in the headers that it was also sent to
this list, so apologies for the duplicates.

micah


> > ----- Forwarded message from Giuseppe Iuculano <iuculano at debian.org> -----
> > 
> > Sender: secure-testing-team-bounces+micah=debian.org at lists.alioth.debian.org
> > From: Giuseppe Iuculano <iuculano at debian.org>
> > Reply-To: Giuseppe Iuculano <iuculano at debian.org>, 551073 at bugs.debian.org
> > Subject: [Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset
> > 	supplementary groups when it switches to a different user
> > Date: Thu, 15 Oct 2009 14:46:35 +0200
> > To: Debian Bug Tracking System <submit at bugs.debian.org>
> > Resent-From: Giuseppe Iuculano <iuculano at debian.org>
> > Resent-To: debian-bugs-dist at lists.debian.org
> > Resent-CC: team at security.debian.org,
> > 	secure-testing-team at lists.alioth.debian.org,
> > 	Puppet Package Maintainers <pkg-puppet-devel at lists.alioth.debian.org>
> > Resent-Date: Thu, 15 Oct 2009 13:12:02 +0000
> > Resent-Message-ID: <handler.551073.B.12556108028185 at bugs.debian.org>
> > Resent-Sender: Debian BTS <debbugs at rietz.debian.org>
> > Resent-Date: Thu, 15 Oct 2009 13:12:05 +0000
> > 
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for puppet.
> > 
> > CVE-2009-3564[0]:
> > | puppetmasterd in puppet 0.24.6 does not reset supplementary groups
> > | when it switches to a different user, which might allow local users to
> > | access restricted files.
> > 
> > Unfortunately the vulnerability described above is not important enough
> > to get it fixed via regular security update in Debian stable and oldstable. It
> > does not warrant a DSA.
> > 
> > However it would be nice if this could get fixed via a regular point update[1].
> > Please contact the release team for this.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3564
> >     http://security-tracker.debian.net/tracker/CVE-2009-3564
> > [1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
> > 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20091016/6bf85f97/attachment.pgp>

More information about the Pkg-puppet-devel mailing list