Bug 721139 – VUL-0: puppet directory traversal

Bug 721139 - VUL-0: puppet directory traversal


Summary:	VUL-0: puppet directory traversal

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Vítězslav Čížek
QA Contact:	Security Team bot

URL:
Whiteboard:	. maint:released:11.3:44045 maint:rel...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2011-09-29 09:40 UTC by Ludwig Nussel
Modified:	2012-07-16 09:00 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2011-09-29 09:40:29 UTC

Your friendly security team received the following report.
Please respond ASAP.

Directory traversal vulnerability in puppet allowed unauthenticated remote attackers to upload x.509 certificate signing requests to arbitrary locations (CVE-2011-3848)

Comment 5 Ludwig Nussel 2011-10-04 13:20:35 UTC

public meanwhile:
https://groups.google.com/forum/#!topic/puppet-users/5XzidA_rlAY

Comment 7 Bernhard Wiedemann 2011-10-04 16:00:12 UTC

This is an autogenerated message for OBS integration:
This bug (721139) was mentioned in
https://build.opensuse.org/request/show/86554 11.3 / puppet
https://build.opensuse.org/request/show/86557 11.4 / puppet

Comment 8 Vítězslav Čížek 2011-10-04 16:01:13 UTC

I've submitted packages to openSUSE 11.3, 11.4 and SLE-11-SP1.

Comment 19 Swamp Workflow Management 2011-10-27 07:58:22 UTC

Update released for: puppet, puppet-server
Products:
openSUSE 11.3 (i586, x86_64)
openSUSE 11.4 (i586, x86_64)

Comment 20 Swamp Workflow Management 2011-10-27 08:04:45 UTC

The SWAMPID for this issue is 43902.
This issue was rated as moderate.
Please submit fixed packages until 2011-11-10.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 21 Bernhard Wiedemann 2011-10-28 08:00:20 UTC

This is an autogenerated message for OBS integration:
This bug (721139) was mentioned in
https://build.opensuse.org/request/show/89615 Evergreen:11.1 / puppet

Comment 23 Vítězslav Čížek 2011-11-03 15:01:56 UTC

I guess I can close this too,
as it's fixed in 11.3, 11.4 and SP2.

Comment 24 Swamp Workflow Management 2011-11-28 10:48:27 UTC

Update released for: puppet, puppet-server
Products:
openSUSE 11.3 (i586, x86_64)
openSUSE 11.4 (i586, x86_64)

Comment 25 Swamp Workflow Management 2011-11-29 02:58:51 UTC

Update released for: puppet, puppet-server
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Comment 26 Bernhard Wiedemann 2011-11-30 17:00:18 UTC

This is an autogenerated message for OBS integration:
This bug (721139) was mentioned in
https://build.opensuse.org/request/show/94589 Evergreen:11.2 / puppet

Comment 27 Bernhard Wiedemann 2012-07-10 12:00:28 UTC

This is an autogenerated message for OBS integration:
This bug (721139) was mentioned in
https://build.opensuse.org/request/show/127500 Evergreen:11.2 / puppet

Comment 28 Bernhard Wiedemann 2012-07-16 09:00:40 UTC

This is an autogenerated message for OBS integration:
This bug (721139) was mentioned in
https://build.opensuse.org/request/show/127980 Evergreen:11.2 / puppet