Azure Linux 3.0 Security Update: puppet (CVE-2015-1029)

The version of puppet installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2015-1029 advisory. - The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlie...

EUVD-2013-1685

Malware in sbrugna...

EUVD-2021-0827

Malware in sbrugna...

EUVD-2012-1091

Malware in sbrugna...

EUVD-2022-3160

Malicious code in bioql PyPI...

SUSE CVE-2011-3869

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file...

SUSE CVE-2011-3872

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise PE Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof ...

SUSE CVE-2011-3871

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files...

SUSE CVE-2013-1653

Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code v...

SUSE CVE-2013-2275

The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors...

SUSE CVE-2013-4761

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resourcetype service. NOTE: this vulnerability can only be exploited...

Information Disclosure

Overview puppet is an automated configuration management tool. Affected versions of this package are vulnerable to Information Disclosure that may result in a leak of HTTP credentials. Remediation Upgrade puppet to version 6.25.1, 7.12.1 or higher. References - GitHub Commit - GitHub Commit -...

DEBIAN-CVE-2013-4969

Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise PE before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files...

DEBIAN-CVE-2013-2275

The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors...

DEBIAN-CVE-2013-1654

Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors...

puppet: authenticated clients allowed to read arbitrary files from the puppet master

Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request...

puppet: Filebucket arbitrary code execution

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise PE Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full...

DEBIAN-CVE-2012-1054

Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise PE Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login...

CVE-2012-1054

Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise PE Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login...

DEBIAN-CVE-2011-3848

Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request CSR to arbitrary locations via 1 a double-encoded key parameter in the URI in 2.7.x, 2 the CN in the Subject of a CSR in 2.6 and 0.25...