PublicDateAtUSN: 2013-03-12 18:00:00 UTC
Candidate: CVE-2013-1652
CRD: 2013-03-12 18:00:00 UTC
PublicDate: 2013-03-20 16:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1652
 https://ubuntu.com/security/notices/USN-1759-1
Description:
 Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and
 Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote
 authenticated users with a valid certificate and private key to read
 arbitrary catalogs or poison the master's cache via unspecified vectors.
Ubuntu-Description: 
Notes: 
 mdeslaur> Upstream no longer supports 0.25.x as found in lucid. The code
 mdeslaur> is substantially different, rendering a backport of this
 mdeslaur> security update difficult. Since puppet in Lucid is almost
 mdeslaur> end-of-life, we aren't planning on backporting the security fix
 mdeslaur> to it. For Lucid users, we recommend using puppet
 mdeslaur> 2.7.1-1ubuntu3.8~ubuntu10.04.1 currently in lucid-backports.
Bugs: 
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_puppet:
upstream_puppet: released (2.6.18, 2.7.21, 3.1.1)
hardy_puppet: ignored (reached end-of-life)
lucid_puppet: ignored
oneiric_puppet: released (2.7.1-1ubuntu3.8)
precise_puppet: released (2.7.11-1ubuntu2.2)
quantal_puppet: released (2.7.18-1ubuntu1.1)
devel_puppet: released (2.7.18-1ubuntu2)