CVE-2013-1652
Published: 12 March 2013
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors.
Notes
Author | Note |
---|---|
mdeslaur | Upstream no longer supports 0.25.x as found in lucid. The code is substantially different, rendering a backport of this security update difficult. Since puppet in Lucid is almost end-of-life, we aren't planning on backporting the security fix to it. For Lucid users, we recommend using puppet 2.7.1-1ubuntu3.8~ubuntu10.04.1 currently in lucid-backports. |