CVE-2017-2295

Priority
Medium
Description
Previously, an authenticated user could cause the master to execute
YAML.load on user-specified input, as well as MessagePack.unpack if the
msgpack gem was installed.
Since 3.2.2, agents have always sent facts as PSON. There is no reason
to support other formats, so reject all fact formats except PSON.
References
Bugs
Package
Upstream:released (4.8.2-5)
Ubuntu 17.10 (Artful Aardvark):not-affected (4.8.2-5ubuntu1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (3.4.3-1ubuntu1.2)
Ubuntu Touch 15.04:DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 16.10 (Yakkety Yak):needed
Ubuntu 17.04 (Zesty Zapus):needed
Patches:
Upstream:https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea
More Information

Updated: 2017-06-05 18:14:13 UTC (commit 12681)