Bug 770827 - VUL-1: CVE-2012-3866: puppet: last_run_report.yaml left world-readable
VUL-1: CVE-2012-3866: puppet: last_run_report.yaml left world-readable
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-11 08:23 UTC by Matthias Weckbecker
Modified: 2012-08-16 11:37 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-07-11 08:23:39 UTC
Version 2.7.18 of puppet fixed multiple security vulnerabilities, among
others also CVE-2012-3866 was fixed:

 "The most recent Puppet run report is stored on the Puppet master
  with world-readable permissions. The report file contains the context
  diffs of any changes to configuration on an agent, which may contain
  sensitive information that an attacker can then access. The last run
  report is overwritten with every Puppet run.",

 http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes
Comment 1 Swamp Workflow Management 2012-07-11 09:09:39 UTC
The SWAMPID for this issue is 48203.
This issue was rated as important.
Please submit fixed packages until 2012-07-18.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Bernhard Wiedemann 2012-07-11 14:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (770827) was mentioned in
https://build.opensuse.org/request/show/127662 Factory / puppet
Comment 3 Vojtech Dziewiecki 2012-07-13 08:52:47 UTC
Submitted:
20491 sle11
127669 11.4
127668 12.1
127662 Factory (new version)
Comment 4 Swamp Workflow Management 2012-07-19 15:08:40 UTC
openSUSE-SU-2012:0891-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 770827,770828,770829,770833
CVE References: CVE-2012-3864,CVE-2012-3865,CVE-2012-3866,CVE-2012-3867
Sources used:
openSUSE 12.1 (src):    puppet-2.7.6-1.10.1
openSUSE 11.4 (src):    puppet-2.6.17-26.1
Comment 5 Matthias Weckbecker 2012-08-16 11:35:40 UTC
released