PublicDateAtUSN: 2011-09-28
Candidate: CVE-2011-3848
CRD: 2011-09-28
PublicDate: 2011-10-27 20:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3848
 https://ubuntu.com/security/notices/USN-1217-1
Description:
 Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x
 before 2.7.4 allows remote attackers to write X.509 Certificate Signing
 Request (CSR) to arbitrary locations via (1) a double-encoded key parameter
 in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25.
Ubuntu-Description: 
Notes: 
Bugs: 
 https://launchpad.net/bugs/861182
Priority: high
Discovered-by: Kristian Erik Hermansen
Assigned-to: jdstrand
CVSS: 

Patches_puppet:
upstream_puppet: pending (2.6.10, 2.7.4)
hardy_puppet: pending (0.24.4-3ubuntu0.1)
lucid_puppet: released (0.25.4-2ubuntu6.2)
maverick_puppet: released (2.6.1-0ubuntu2.1)
natty_puppet: released (2.6.4-2ubuntu2.2)
devel_puppet: released (2.7.1-1ubuntu2)