Bug 770827

Summary: VUL-1: CVE-2012-3866: puppet: last_run_report.yaml left world-readable
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Weckbecker <mweckbecker>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: .
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Weckbecker 2012-07-11 08:23:39 UTC 
Version 2.7.18 of puppet fixed multiple security vulnerabilities, among
others also CVE-2012-3866 was fixed:

 "The most recent Puppet run report is stored on the Puppet master
  with world-readable permissions. The report file contains the context
  diffs of any changes to configuration on an agent, which may contain
  sensitive information that an attacker can then access. The last run
  report is overwritten with every Puppet run.",

 http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes
Comment 1 Swamp Workflow Management 2012-07-11 09:09:39 UTC 
The SWAMPID for this issue is 48203.
This issue was rated as important.
Please submit fixed packages until 2012-07-18.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Bernhard Wiedemann 2012-07-11 14:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (770827) was mentioned in
https://build.opensuse.org/request/show/127662 Factory / puppet
Comment 3 Vojtech Dziewiecki 2012-07-13 08:52:47 UTC 
Submitted:
20491 sle11
127669 11.4
127668 12.1
127662 Factory (new version)
Comment 4 Swamp Workflow Management 2012-07-19 15:08:40 UTC 
openSUSE-SU-2012:0891-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 770827,770828,770829,770833
CVE References: CVE-2012-3864,CVE-2012-3865,CVE-2012-3866,CVE-2012-3867
Sources used:
openSUSE 12.1 (src):    puppet-2.7.6-1.10.1
openSUSE 11.4 (src):    puppet-2.6.17-26.1
Comment 5 Matthias Weckbecker 2012-08-16 11:35:40 UTC 
released