[Pkg-puppet-devel] (Debian RT) puppet / CVE-2013-3567

Stig Sandbeck Mathisen ssm at debian.org
Sat Jun 22 16:17:57 UTC 2013 

Hello,

There's a published security issue with the puppet packages, with the
identifier CVE-2013-3567

Upstream information is at
http://puppetlabs.com/security/cve/cve-2013-3567/

The vulnerability exists in all versions of puppet in Debian, but is
fixed in 3.2.2-1, which is uploaded to unstable.

We've received patches from Puppet Labs, the upstream, which fixes
this in 2.7.21.  This patch has been backported to the version in
wheezy (2.7.18), and will be fixed in the upcoming "puppet 2.7.18-5"
after testing.

| package | version          | codename          | status         | notes                                            |
|---------+------------------+-------------------+----------------+--------------------------------------------------|
| puppet  | 2.6.2-5+squeeze6 | squeeze           | vulnerable     |                                                  |
| puppet  | 2.6.2-5+squeeze7 | squeeze-p-u       | vulnerable     |                                                  |
| puppet  | 2.6.2-5+squeeze7 | squeeze-security  | vulnerable     | patch received, http://bugs.debian.org/712745#41 |
| puppet  | 2.7.18-3~bpo60+1 | squeeze-backports | vulnerable     | pending wheezy                                   |
| puppet  | 2.7.18-4         | wheezy            | vulnerable     | fix committed, passes dep8 test, need rl testing |
| puppet  | 3.2.1-1          | jessie            | vulnerable     | will not receive 3.2.2-1                         |
| puppet  | 3.2.2-1          | sid               | not vulnerable | has an "apache2 migration issue"         |

As tradition demands, the security fix from Puppet Labs clocks in at a
5.5k line diff.

This time, to add a "safe YAML load" feature, the gem "safe_yaml" has
been vendored.  This gem is not present in wheezy, so it has been left
intact in the security update.  For the version to be used in sid and
jessie, the gem is packaged as "ruby-safe-yaml", and has been added as
a dependency.

The full patch for puppet 2.7.18-4 (which is heavily patched already)
in stable is available at
http://anonscm.debian.org/gitweb/?p=pkg-puppet/puppet.git;a=commit;h=7c9cd3135abfb996b947e684c05f0958c4ced0df

A filtered patch (for easier review, code changes only, and without
the vendored gem) has been attached as
cve-2013-3567_for_2.7.18-4_filtered.patch

For "squeeze", puppet 2.6.x is outside upstream's support. A patch to
fix this issue has been contributed by Raphael Geissert
<geissert at debian.org>.  This is visible at
http://bugs.debian.org/712745#41

For "testing", there is an issue with the package on apache2.2, which
has to be fixed before it can migrate to testing.  The status if this
issue can be tracked at http://bugs.debian.org/713070

For "unstable", this issue is fixed.

-- 
Stig Sandbeck Mathisen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cve-2013-3567_for_2.7.18-4_filtered.patch
Type: text/x-diff
Size: 20196 bytes
Desc: Filtered patch for review
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20130622/54ffda4c/attachment.patch>

More information about the Pkg-puppet-devel mailing list