Bug 726372

Summary: VUL-0: puppet AltNames Vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium CC: dmueller, security-team, vcizek
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:11.3:44045 maint:released:11.4:44045 maint:released:sle11-sp1:44046
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2011-10-25 12:53:33 UTC 
There is a new vulnerability in puppet described here:

http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/


It is CVE-2011-3872
Comment 1 Vítězslav Čížek 2011-10-25 14:10:16 UTC 
Version 2.7.6, which doesn't issue dangerous certificates has been submitted to Factory (request id 89291).
Comment 3 Swamp Workflow Management 2011-10-27 08:04:45 UTC 
The SWAMPID for this issue is 43902.
This issue was rated as moderate.
Please submit fixed packages until 2011-11-10.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 4 Vítězslav Čížek 2011-10-27 15:13:13 UTC 
I've asked upstream for patches, as they released the new tarballs only.

(From Sebastian's link:
Distribution maintainers have been sent patches for all the versions of Puppet that are currently maintained in Fedora, EPEL, Debian, Ubuntu and Gentoo.)
Comment 5 Bernhard Wiedemann 2011-10-31 11:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (726372) was mentioned in
https://build.opensuse.org/request/show/89788 11.4 / puppet
Comment 6 Bernhard Wiedemann 2011-11-01 11:00:19 UTC 
This is an autogenerated message for OBS integration:
This bug (726372) was mentioned in
https://build.opensuse.org/request/show/89861 11.4 / puppet
https://build.opensuse.org/request/show/89863 11.3 / puppet
Comment 12 Vítězslav Čížek 2011-11-01 13:56:46 UTC 
Sure, thanks.
Comment 17 Dirk Mueller 2011-11-08 13:17:33 UTC 
*** Bug 728749 has been marked as a duplicate of this bug. ***
Comment 20 Swamp Workflow Management 2011-11-08 23:00:22 UTC 
bugbot adjusting priority
Comment 22 Swamp Workflow Management 2011-11-09 23:00:22 UTC 
bugbot adjusting priority
Comment 24 Vítězslav Čížek 2011-11-11 17:19:51 UTC 
Fixed. Closing.
Comment 25 Swamp Workflow Management 2011-11-28 10:48:20 UTC 
Update released for: puppet, puppet-server
Products:
openSUSE 11.3 (i586, x86_64)
openSUSE 11.4 (i586, x86_64)
Comment 26 Swamp Workflow Management 2011-11-29 02:58:45 UTC 
Update released for: puppet, puppet-server
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 27 Bernhard Wiedemann 2011-11-30 17:00:34 UTC 
This is an autogenerated message for OBS integration:
This bug (726372) was mentioned in
https://build.opensuse.org/request/show/94589 Evergreen:11.2 / puppet
Comment 28 Bernhard Wiedemann 2011-12-09 22:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (726372) was mentioned in
https://build.opensuse.org/request/show/96214 Evergreen:11.1 / puppet
https://build.opensuse.org/request/show/96215 Evergreen:11.1 / puppet