Gentoo Linux Security Advisory 201203-3 - Multiple vulnerabilities have been found in Puppet, the worst of which might allow local attackers to gain escalated privileges. Versions less than 2.7.11 are affected.
69813f02a92f89229d9a09aea745f127f1932ebbc0d9430aa9f9838397cd205bDebian Linux Security Advisory 2352-1 - It was discovered that Puppet, a centralized configuration management solution, misgenerated certificates if the "certdnsnames" option was used. This could lead to man in the middle attacks.
e22d1f5f7e44f257d626763c5cd583b170c317b980206265d22f9036bcea5a23Ubuntu Security Notice 1238-2 - USN-1238-1 fixed vulnerabilities in Puppet. The upstream patch introduced a regression in Ubuntu 11.04 when executing certain commands. This update fixes the problem. It was discovered that Puppet incorrectly handled the non-default "certdnsnames" option when generating certificates. If this setting was added to puppet.conf, the puppet master's DNS alt names were added to the X.509 Subject Alternative Name field of all certificates, not just the puppet master's certificate. An attacker that has an incorrect agent certificate in his possession can use it to impersonate the puppet master in a man-in-the-middle attack.
24f1ff0a4bf1e3e276009e4999f192df87a00a2098234c3807f2ffc5f471cff2Ubuntu Security Notice 1238-1 - It was discovered that Puppet incorrectly handled the non-default "certdnsnames" option when generating certificates. If this setting was added to puppet.conf, the puppet master's DNS alt names were added to the X.509 Subject Alternative Name field of all certificates, not just the puppet master's certificate. An attacker that has an incorrect agent certificate in his possession can use it to impersonate the puppet master in a man-in-the-middle attack.
ae7ab9a381c1ba9bfec6b237a0e254fca36b4e9df829004852518239d8c13d45
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed