[Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset supplementary groups when it switches to a different user
Giuseppe Iuculano
iuculano at debian.org
Thu Oct 15 12:46:35 UTC 2009
Package: puppet
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for puppet.
CVE-2009-3564[0]:
| puppetmasterd in puppet 0.24.6 does not reset supplementary groups
| when it switches to a different user, which might allow local users to
| access restricted files.
Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.
However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3564
http://security-tracker.debian.net/tracker/CVE-2009-3564
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Cheers,
Giuseppe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrXGagACgkQNxpp46476apSHQCfcHeDYnvadCKBV5CkSyN0ViN7
r5IAn02E4bwIzgT6TlZNQuHNJnfQH3D4
=hbrZ
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list