USN-917-1: Puppet vulnerabilities

Publication date

24 March 2010

Overview

Puppet vulnerabilities

Releases


Packages

Details

It was discovered that Puppet did not drop supplementary groups when being
run as a different user. A local user may be able to use this flaw to
bypass security restrictions and gain access to restricted files.
(CVE-2009-3564)

It was discovered that Puppet did not correctly handle temporary files. A
local user can exploit this flaw to bypass security restrictions and
overwrite arbitrary files. (CVE-2010-0156)

It was discovered that Puppet did not drop supplementary groups when being
run as a different user. A local user may be able to use this flaw to
bypass security restrictions and gain access to restricted files.
(CVE-2009-3564)

It was discovered that Puppet did not correctly handle temporary files. A
local user can exploit this flaw to bypass security restrictions and
overwrite arbitrary files. (CVE-2010-0156)

Update instructions

In general, a standard system upgrade is sufficient to effect the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
9.10 karmic puppet –  0.24.8-2ubuntu4.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›