CVE-2012-1906

Priority
Description
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise
(PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable
file names when installing Mac OS X packages from a remote source, which
allows local users to overwrite arbitrary files or install arbitrary
packages via a symlink attack on a temporary file in /tmp.
Notes
tyhicksYama mitigates this
Despite these being OS X package providers, we do ship them so they
will get patched
Package
Upstream:needs-triage
More Information

Updated: 2019-12-05 20:59:01 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)