V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
ptcracker
V2EX  ›  Puppet

Puppet 出现两个漏洞:任意代码执行、模块权限绕过,大家尽快升级!

  •  
  •   ptcracker · 2013-08-28 18:45:13 +08:00 · 6447 次点击
    这是一个创建于 4140 天前的主题,其中的信息可能已经有所发展或是发生改变。
    _______________________________________________________________________

    Package : puppet
    Date : August 27, 2013
    _______________________________________________________________________

    Problem Description:

    Updated puppet and puppet3 package fix security vulnerabilities:

    It was discovered that Puppet incorrectly handled the resource_type
    service. A local attacker on the master could use this issue to
    execute arbitrary Ruby files (CVE-2013-4761).

    It was discovered that Puppet incorrectly handled permissions on the
    modules it installed. Modules could be installed with the permissions
    that existed when they were built, possibly exposing them to a local
    attacker (CVE-2013-4956).
    _______________________________________________________________________

    References:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956
    http://advisories.mageia.org/MGASA-2013-0259.html
    _______________________________________________________________________
    目前尚无回复
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2645 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 35ms · UTC 09:50 · PVG 17:50 · LAX 01:50 · JFK 04:50
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.