Medium: puppet

2012-05-08T23:13:00
ID ALAS-2012-075
Type amazon
Reporter Amazon
Modified 2014-09-14T16:09:00

Description

Issue Overview:

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.

Affected Packages:

puppet

Issue Correction:
Run yum update puppet to update your system.

New Packages:

i686:  
    puppet-debuginfo-2.6.16-1.6.amzn1.i686  
    puppet-2.6.16-1.6.amzn1.i686  
    puppet-server-2.6.16-1.6.amzn1.i686

src:  
    puppet-2.6.16-1.6.amzn1.src

x86_64:  
    puppet-debuginfo-2.6.16-1.6.amzn1.x86_64  
    puppet-2.6.16-1.6.amzn1.x86_64  
    puppet-server-2.6.16-1.6.amzn1.x86_64