Bug 727024 - VUL-0: puppet file overwrite via .k5login file
VUL-0: puppet file overwrite via .k5login file
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Vítězslav Čížek
Security Team bot
maint:released:11.3:44045 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-28 08:47 UTC by Ludwig Nussel
Modified: 2012-07-16 09:00 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-10-28 08:47:48 UTC
Your friendly security team received the following report via mitre.
Please respond ASAP.
The issue is public.

-------8<-------
======================================================
Name: CVE-2011-3869

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.


Reference: UBUNTU: http://www.ubuntu.com/usn/USN-1223-2
Reference: UBUNTU: http://www.ubuntu.com/usn/USN-1223-1
Reference: DEBIAN: http://www.debian.org/security/2011/dsa-2314
Reference: SECUNIA: http://secunia.com/advisories/46458
Reference: FEDORA: http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html
Reference: FEDORA: http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html
Reference: FEDORA: http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html
Reference: CONFIRM: http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
Comment 1 Bernhard Wiedemann 2011-10-31 11:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/89788 11.4 / puppet
Comment 2 Bernhard Wiedemann 2011-10-31 13:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/89794 11.3 / puppet
https://build.opensuse.org/request/show/89795 11.4 / puppet
Comment 3 Bernhard Wiedemann 2011-11-01 11:00:24 UTC
This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/89861 11.4 / puppet
https://build.opensuse.org/request/show/89863 11.3 / puppet
Comment 4 Sebastian Krahmer 2011-11-01 13:07:56 UTC
handled in MaintenanceTracker-43902
Comment 6 Swamp Workflow Management 2011-11-28 10:48:22 UTC
Update released for: puppet, puppet-server
Products:
openSUSE 11.3 (i586, x86_64)
openSUSE 11.4 (i586, x86_64)
Comment 7 Swamp Workflow Management 2011-11-29 02:58:46 UTC
Update released for: puppet, puppet-server
Products:
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 8 Bernhard Wiedemann 2011-12-09 22:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/96214 Evergreen:11.1 / puppet
https://build.opensuse.org/request/show/96215 Evergreen:11.1 / puppet
Comment 9 Bernhard Wiedemann 2012-07-10 12:00:33 UTC
This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/127500 Evergreen:11.2 / puppet
Comment 10 Bernhard Wiedemann 2012-07-16 09:00:47 UTC
This is an autogenerated message for OBS integration:
This bug (727024) was mentioned in
https://build.opensuse.org/request/show/127980 Evergreen:11.2 / puppet