[Pkg-puppet-devel] Bug#775535: CVE-2015-1029
Stig Sandbeck Mathisen
ssm at debian.org
Sat Jan 17 09:46:58 UTC 2015
Moritz Muehlenhoff <jmm at debian.org> writes:
> Package: puppet-module-puppetlabs-stdlib
> Severity: important
> Tags: security
>
> Hi,
> please see http://puppetlabs.com/security/cve/cve-2015-1029
Thanks. I did some testing yesterday around this.
The page says:
Affected Software Versions: "puppetlabs-stdlib 4.1.0 - 4.5.0 (with
facter 1.7 and newer)"
I think should be "with facter 1.6 and older". judging from
https://github.com/puppetlabs/puppetlabs-stdlib/blob/4.3.2/lib/facter/facter_dot_d.rb#L190
This means that it will not affect puppet master and its nodes whenever
those run jessie or sid.
It will not affect wheezy directly, since this module is not packaged
for that release.
However, when the puppet master is upgraded to jessie, and you still
have nodes running facter 1.6 (wheezy and anything older), those will be
at risk if this module is included in the environment nodes are
classified to.
To summarize:
Not affected:
* squeeze (module not available)
* wheezy (module not available)
* jessie (facter is new enough)
Affected:
* puppet agents on wheezy or squeeze when connecting to a puppet master
running jessie with puppet-module-puppetlabs-stdlib installed. (unless
those nodes are classified to an environment where puppetlabs/stdlib
is not included).
--
Stig Sandbeck Mathisen
More information about the Pkg-puppet-devel
mailing list