CVE-2017-2295

Priority
Medium
Description
Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from
the agent to the server, in this case) with a attacker-specified format.
This could be used to force YAML deserialization in an unsafe manner, which
would lead to remote code execution. This change constrains the format of
data on the wire to PSON or safely decoded YAML.
References
Bugs
Package
Upstream:released (4.8.2-5)
Ubuntu 17.10 (Artful Aardvark):not-affected (4.8.2-5ubuntu1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (3.4.3-1ubuntu1.2)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 17.04 (Zesty Zapus):needed
Patches:
Upstream:https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea
More Information

Updated: 2017-08-11 23:25:04 UTC (commit 13081)