Puppet updates close security holes
The Puppet Labs developers have released updates to the system management automation platform to correct a number of security flaws in both its open source and enterprise editions. The fixes apply to Puppet 2.6.17 and earlier, 2.7.20 and earlier, and version 3.1, as well as Puppet Enterprise 1.2.6 and earlier and 2.7.1 and earlier.
The flaws include a number of remote code execution problems, either unauthenticated – CVE-2013-1655 for Puppet 2.7.x and 3.1 – or authenticated on master nodes – CVE-2013-2274 for Puppet 2.6.x and Enterprise 1.2.x and CVE-2013-1640 for all versions – or authenticated on agents – CVE-2013-1653 for Puppet 2.7.x, 3.1 and Puppet Enterprise 2.7.1.
There were also issues with SSL downgrade vulnerabilities (CVE-2013-1654) fixed by disabling SSLv2, insufficient input validation (CVE-2013-1652), and badly configured default ACL settings (CVE-2013-2275) which affected all versions. Puppet Labs has now released Puppet versions 2.6.18, 2.7.21 and 3.1.1 and Puppet Enterprise versions 1.2.7 and 2.7.2.
The Puppet open source versions are available for download. Puppet Enterprise users should consult Puppet Labs support for details of how to update.