Bug 1078984 - (CVE-2017-2293) VUL-0: CVE-2017-2293: Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with anMCollective configuration that allowed the package plugin to install or removearbitrary packages on all managed agents. This release adds def
(CVE-2017-2293)
VUL-0: CVE-2017-2293: Versions of Puppet Enterprise prior to 2016.4.5 or 2017...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/199344/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-02 08:11 UTC by Alexander Bergmann
Modified: 2018-02-02 08:12 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-02-02 08:11:28 UTC
CVE-2017-2293

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an
MCollective configuration that allowed the package plugin to install or remove
arbitrary packages on all managed agents. This release adds default
configuration to not allow these actions. Customers who rely on this
functionality can change this policy.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2293
https://puppet.com/security/cve/cve-2017-2293
Comment 1 Alexander Bergmann 2018-02-02 08:12:15 UTC
Only Puppet Enterprise is affected.