CVE-2017-2295

Priority
Description
Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from
the agent to the server, in this case) with a attacker-specified format.
This could be used to force YAML deserialization in an unsafe manner, which
would lead to remote code execution. This change constrains the format of
data on the wire to PSON or safely decoded YAML.
Notes
Package
Upstream:released (4.8.2-5)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (3.4.3-1ubuntu1.2)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (4.8.2-5ubuntu1)
Ubuntu 19.10 (Eoan Ermine):not-affected (4.8.2-5ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (4.8.2-5ubuntu1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (4.8.2-5ubuntu1)
Patches:
Upstream:https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea
More Information

Updated: 2020-05-07 18:24:48 UTC (commit 3db3e0dddc92f0ed79599b5949ba82bc7a3031ed)