Bug 726372 – VUL-0: puppet AltNames Vulnerability

Bug 726372 - VUL-0: puppet AltNames Vulnerability


Summary:	VUL-0: puppet AltNames Vulnerability

Status:	RESOLVED FIXED
Duplicates:	728749 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:	maint:released:11.3:44045 maint:relea...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2011-10-25 12:53 UTC by Sebastian Krahmer
Modified:	2011-12-09 22:00 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2011-10-25 12:53:33 UTC

There is a new vulnerability in puppet described here:

http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/


It is CVE-2011-3872

Comment 1 Vítězslav Čížek 2011-10-25 14:10:16 UTC

Version 2.7.6, which doesn't issue dangerous certificates has been submitted to Factory (request id 89291).

Comment 3 Swamp Workflow Management 2011-10-27 08:04:45 UTC

The SWAMPID for this issue is 43902.
This issue was rated as moderate.
Please submit fixed packages until 2011-11-10.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 4 Vítězslav Čížek 2011-10-27 15:13:13 UTC

I've asked upstream for patches, as they released the new tarballs only.

(From Sebastian's link:
Distribution maintainers have been sent patches for all the versions of Puppet that are currently maintained in Fedora, EPEL, Debian, Ubuntu and Gentoo.)

Comment 5 Bernhard Wiedemann 2011-10-31 11:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (726372) was mentioned in
https://build.opensuse.org/request/show/89788 11.4 / puppet

Comment 6 Bernhard Wiedemann 2011-11-01 11:00:19 UTC

This is an autogenerated message for OBS integration:
This bug (726372) was mentioned in
https://build.opensuse.org/request/show/89861 11.4 / puppet
https://build.opensuse.org/request/show/89863 11.3 / puppet

Comment 12 Vítězslav Čížek 2011-11-01 13:56:46 UTC

Sure, thanks.

Comment 17 Dirk Mueller 2011-11-08 13:17:33 UTC

*** Bug 728749 has been marked as a duplicate of this bug. ***

Comment 20 Swamp Workflow Management 2011-11-08 23:00:22 UTC

bugbot adjusting priority

Comment 22 Swamp Workflow Management 2011-11-09 23:00:22 UTC

bugbot adjusting priority

Comment 24 Vítězslav Čížek 2011-11-11 17:19:51 UTC

Fixed. Closing.

Comment 25 Swamp Workflow Management 2011-11-28 10:48:20 UTC

Update released for: puppet, puppet-server
Products:
openSUSE 11.3 (i586, x86_64)
openSUSE 11.4 (i586, x86_64)

Comment 26 Swamp Workflow Management 2011-11-29 02:58:45 UTC

Update released for: puppet, puppet-server
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Comment 27 Bernhard Wiedemann 2011-11-30 17:00:34 UTC

This is an autogenerated message for OBS integration:
This bug (726372) was mentioned in
https://build.opensuse.org/request/show/94589 Evergreen:11.2 / puppet

Comment 28 Bernhard Wiedemann 2011-12-09 22:00:15 UTC

This is an autogenerated message for OBS integration:
This bug (726372) was mentioned in
https://build.opensuse.org/request/show/96214 Evergreen:11.1 / puppet
https://build.opensuse.org/request/show/96215 Evergreen:11.1 / puppet