Debian Bug report logs -
#863212
puppet: CVE-2017-2295: unsafe YAML deserialization
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 23 May 2017 17:15:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version puppet/3.7.2-1
Fixed in versions puppet/4.8.2-5, puppet/3.7.2-4+deb8u1
Done: Apollon Oikonomopoulos <apoikos@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>:
Bug#863212; Package src:puppet.
(Tue, 23 May 2017 17:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>.
(Tue, 23 May 2017 17:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: puppet
Version: 3.7.2-1
Severity: grave
Tags: upstream security patch
Hi,
the following vulnerability was published for puppet.
CVE-2017-2295[0]:
Unsafe YAML deseralization
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2295
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2295
[1] https://puppet.com/security/cve/cve-2017-2295
[2] https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea
Regards,
Salvatore
Reply sent
to Apollon Oikonomopoulos <apoikos@debian.org>:
You have taken responsibility.
(Tue, 23 May 2017 21:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 23 May 2017 21:09:05 GMT) (full text, mbox, link).
Message #10 received at 863212-close@bugs.debian.org (full text, mbox, reply):
Source: puppet
Source-Version: 4.8.2-5
We believe that the bug you reported is fixed in the latest version of
puppet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoikos@debian.org> (supplier of updated puppet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 23 May 2017 23:17:46 +0300
Source: puppet
Binary: puppet puppet-master puppetmaster puppet-master-passenger puppetmaster-passenger puppet-common
Architecture: source all
Version: 4.8.2-5
Distribution: unstable
Urgency: high
Maintainer: Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>
Changed-By: Apollon Oikonomopoulos <apoikos@debian.org>
Description:
puppet - configuration management system
puppet-common - transitional dummy package
puppet-master - configuration management system, master service
puppet-master-passenger - configuration management system, scalable master service
puppetmaster - configuration management system, master service - transitional pa
puppetmaster-passenger - configuration management system, scalable master service - transi
Closes: 863212
Changes:
puppet (4.8.2-5) unstable; urgency=high
.
* master: accept facts only in PSON format (CVE-2017-2295) (Closes:
#863212).
Checksums-Sha1:
bf4e28dfd0c09a509a3a2e7c27b6aea5718df293 2524 puppet_4.8.2-5.dsc
e2f8c013316dadf0923b191243615ef428cffc21 37756 puppet_4.8.2-5.debian.tar.xz
fe7cabdc8b629045ff89e917a38bc9c3259f0396 23590 puppet-common_4.8.2-5_all.deb
47122b89d464dcc8f3e2fc17c73f33691ba18276 27226 puppet-master-passenger_4.8.2-5_all.deb
7ffcf144c1e7f7a1202bbb62746313432a3f515c 26140 puppet-master_4.8.2-5_all.deb
b134e72ebf28718171edb009d14da8766f0952a8 1122848 puppet_4.8.2-5_all.deb
b393786913df378127863782a67675d350af2b7d 8054 puppet_4.8.2-5_amd64.buildinfo
9692ef7d80d27d5977e4bffa7d6933a6464e0e80 22916 puppetmaster-passenger_4.8.2-5_all.deb
04f0cbd9721eeaac3f208c4da389ba823739cb00 23092 puppetmaster_4.8.2-5_all.deb
Checksums-Sha256:
13925c5d2f4093e8e5ae1c5e672bcf50306bedff6a13b392287cb4ccbbbd382a 2524 puppet_4.8.2-5.dsc
02916abb3e20c698279b837f32ca880a75c1d5d656c695854e9f34f318bf59c6 37756 puppet_4.8.2-5.debian.tar.xz
759506391f933af9feb8253b7aaa5989185eae6fe127fdd8e47567af204a79fb 23590 puppet-common_4.8.2-5_all.deb
e08faae64542326cd46f5564d3fd27615681aa29ae8de112018ba242ce142650 27226 puppet-master-passenger_4.8.2-5_all.deb
3aab5db2d6cb4556068c3f3a402b5c438cadaca57f8696036b77def28c7a82a2 26140 puppet-master_4.8.2-5_all.deb
6e00516561dc120e94697bab66cd55b63ec2e4f5fcf61e534b06ff8f6cc6b895 1122848 puppet_4.8.2-5_all.deb
7ff0c6d01b7c518ba84b60a60700ce428cafe9cebf778d84779529bcc70cc076 8054 puppet_4.8.2-5_amd64.buildinfo
ef17a6b742c43edc176111350f407be674c94484cdebc89a3208b4d7988dc065 22916 puppetmaster-passenger_4.8.2-5_all.deb
277d226ef1816a428009e887f7abfcf2fea47499e102177078f646396a1536ef 23092 puppetmaster_4.8.2-5_all.deb
Files:
d1bb290d0116442a22444ef514d339ee 2524 admin optional puppet_4.8.2-5.dsc
c3717d442e18964f93d1270e39de7ec8 37756 admin optional puppet_4.8.2-5.debian.tar.xz
8e8fae86283402ee14925e2486be510c 23590 oldlibs extra puppet-common_4.8.2-5_all.deb
5b4b63935b01ef4b49a223290ccb3b44 27226 admin optional puppet-master-passenger_4.8.2-5_all.deb
c51a725910b4aa9aad8f4ec2ec08954c 26140 admin optional puppet-master_4.8.2-5_all.deb
63af0b28272b0ff8dc528bccf9a48412 1122848 admin optional puppet_4.8.2-5_all.deb
e9547b228967c18cc5079a3013cd4536 8054 admin optional puppet_4.8.2-5_amd64.buildinfo
09d45c05c34b1ee41e6ce8efb8a0b473 22916 oldlibs extra puppetmaster-passenger_4.8.2-5_all.deb
46b4bae926badae6e78d5bd08a315657 23092 oldlibs extra puppetmaster_4.8.2-5_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAlkkmTkACgkQ9RsYxyAk
giRp4A/+OVNYac4wOsRBCMOuIPlBev1IsE0nZI+H9CZrZKL9HSoUbJnhkl58wHDH
mCnVTqiB16E/NjcYW99s5t9SvGM7cR9G0KkOL6z7OrwNUjvtgvWfxAu1U22rqNxJ
6NL5nl8WfFyZTE2Df5dmtz/gRqn5rf1riAhq+7s6UeuwBXq9rFBwbo9Qebd0KiQW
0oc1+ikTOLSGjtJVyHOYlKfBwxO/L8wP1F9CHzTssRN/5OfVnOtigGlC+RdTVR9j
KEaA3WSjSR2ZRODRu0LRaFowaWwWrkUknYqLV4sO7btoEkQzp5dwCaU/eWakDXvz
jMKDYX0NlWvA2zXK5tta0e4ELnpSYH5l8F+hddmED2JqIUJJuJcj3AuftwTg8FEf
ZFbDaGiW9hw8K0/0ikpxc+F/Ebio55aD5vSn3Ch9ehSDk+bFf5zbm1IC2RYtjnv8
mcTqlspv3b6RbfqUXzZ2sy5pKfXGpivoPso5lP9LxEKyiw0+0LIv8oTiGpBO8VUC
RnMOEM+O+0VG9a3bzHEDCejZXB7HUtgMZMoEdg8YkAeX5o+XS6BLII/a0iSqcjXt
e6MAx9PIDaY+aXHZZ7d2PIDsoOpB5WQ/NzzWiidKwXPmipJOok8gc1ZQhvx+JYOA
qWk5s/8ihgzP1UhELCtYWrwEvCMufHrmMORf7r243e/6HqjKMP4=
=/be5
-----END PGP SIGNATURE-----
Reply sent
to Apollon Oikonomopoulos <apoikos@debian.org>:
You have taken responsibility.
(Wed, 31 May 2017 01:06:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 31 May 2017 01:06:06 GMT) (full text, mbox, link).
Message #15 received at 863212-close@bugs.debian.org (full text, mbox, reply):
Source: puppet
Source-Version: 3.7.2-4+deb8u1
We believe that the bug you reported is fixed in the latest version of
puppet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoikos@debian.org> (supplier of updated puppet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 23 May 2017 23:35:37 +0300
Source: puppet
Binary: puppet-common puppet puppetmaster-common puppetmaster puppetmaster-passenger vim-puppet puppet-el puppet-testsuite
Architecture: source all
Version: 3.7.2-4+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>
Changed-By: Apollon Oikonomopoulos <apoikos@debian.org>
Description:
puppet - configuration management system, agent
puppet-common - configuration management system
puppet-el - syntax highlighting for puppet manifests in emacs
puppet-testsuite - configuration management system, development test suite
puppetmaster - configuration management system, master service
puppetmaster-common - configuration management system, master common files
puppetmaster-passenger - configuration management system, scalable master service
vim-puppet - syntax highlighting for puppet manifests in vim
Closes: 863212
Changes:
puppet (3.7.2-4+deb8u1) jessie-security; urgency=high
.
* master: accept facts only in PSON format (CVE-2017-2295). Note that the
fix for CVE-2017-2295 unfortunately breaks backward compatibility with
agent versions prior to 3.2.2. (Closes: #863212)
+ Document compatibility issues in d/NEWS.
* Add myself to Uploaders.
Checksums-Sha1:
2f9020f9eec11c011b9ef3687215800ba8ec3c47 2592 puppet_3.7.2-4+deb8u1.dsc
1659ec3d144ae0449fa548d45d0df541a4b882e3 2592103 puppet_3.7.2.orig.tar.gz
af74d60547630fe78208f8082b9b43d81e661a05 44228 puppet_3.7.2-4+deb8u1.debian.tar.xz
48cbdcc37a43e2d50b603770c2caad18870abeb5 1009180 puppet-common_3.7.2-4+deb8u1_all.deb
bee2aca72981ea404656a1c6864412ecc3e4a099 25864 puppet_3.7.2-4+deb8u1_all.deb
f89f99f0c57015ed2ca2ee6017a57fd40b17a905 26690 puppetmaster-common_3.7.2-4+deb8u1_all.deb
08c7f280cc07b9e4afc76c56162562340bb0bcf8 25220 puppetmaster_3.7.2-4+deb8u1_all.deb
42a4163c84a16af711c0f8cf8f06181d34993094 26000 puppetmaster-passenger_3.7.2-4+deb8u1_all.deb
40ce30979beb53582b08fea29690633590722574 26528 vim-puppet_3.7.2-4+deb8u1_all.deb
15b2daa27970cfa9ecc41affbf76a47e9e58e5cc 28014 puppet-el_3.7.2-4+deb8u1_all.deb
b72760b5ecc435d1e463888806d0dcab41823278 805222 puppet-testsuite_3.7.2-4+deb8u1_all.deb
Checksums-Sha256:
c4d4b56c0c9774176df274e2565297df9bc4ea7c732cef7a2206898ed4b77e50 2592 puppet_3.7.2-4+deb8u1.dsc
f762c43da42c4b164afe70046ef65de88a389d718e37c79a1e92f4aa4ff571c5 2592103 puppet_3.7.2.orig.tar.gz
edb0b1fb867dc52c2c506bb22dc9370049a6d9936e66715680c89f01d0619baf 44228 puppet_3.7.2-4+deb8u1.debian.tar.xz
20e2667902bff0bdd5d4a18a318916e41a49d1ab75947ae655c63948a55281ca 1009180 puppet-common_3.7.2-4+deb8u1_all.deb
d6b2e9d972263794e343787ae95fe79ad6062420bce2f04133d31f11343ba5e8 25864 puppet_3.7.2-4+deb8u1_all.deb
9364e58783e65ef8c29c9bed384ae7ec453fbe516b5180241a412020d52aed85 26690 puppetmaster-common_3.7.2-4+deb8u1_all.deb
54be781578d8cc3ebbe2bfa638726eee9ccfd04fdb6f5f67376695297cb8baf7 25220 puppetmaster_3.7.2-4+deb8u1_all.deb
9a9c7c31475cf8b133a651457c452f760a141c3d9b4366c4cde56a8f6d495717 26000 puppetmaster-passenger_3.7.2-4+deb8u1_all.deb
3a334b242efb35b0ba039e882bf93145a58f89d2c85a745ae343267eb8749d5c 26528 vim-puppet_3.7.2-4+deb8u1_all.deb
3ca23d4d13738a4d14bc8f3b81354de5b9563b820c9546a85cc5f779901240be 28014 puppet-el_3.7.2-4+deb8u1_all.deb
71440bcf12a91cc36a0f9445d11dbbd84a9270578c38db3618bc09290e08b56d 805222 puppet-testsuite_3.7.2-4+deb8u1_all.deb
Files:
da370ee41974561734ae4b60047b5444 2592 admin optional puppet_3.7.2-4+deb8u1.dsc
a3e2ae951760494e6f52e310420db8f2 2592103 admin optional puppet_3.7.2.orig.tar.gz
40304b0e12e2bb0e52bb57f71038db2e 44228 admin optional puppet_3.7.2-4+deb8u1.debian.tar.xz
e5403c3eb1f0601e8a9791c5f0252606 1009180 admin optional puppet-common_3.7.2-4+deb8u1_all.deb
5db71327e67a33c62002dfa4ce49b965 25864 admin optional puppet_3.7.2-4+deb8u1_all.deb
7bd77d15e6440dc3033c10516e0b500a 26690 admin optional puppetmaster-common_3.7.2-4+deb8u1_all.deb
f4b1ce0eec869466d4df7875fd56c3cc 25220 admin optional puppetmaster_3.7.2-4+deb8u1_all.deb
a2ae64e66049d52e2b1217adfc5bdc73 26000 admin optional puppetmaster-passenger_3.7.2-4+deb8u1_all.deb
e54ecad32a47fbc52ebf835f926f6601 26528 admin optional vim-puppet_3.7.2-4+deb8u1_all.deb
de7e01d7cab149e840b1fda56041003b 28014 admin optional puppet-el_3.7.2-4+deb8u1_all.deb
c0be0c8d228d73002abcbc73a5185db5 805222 admin optional puppet-testsuite_3.7.2-4+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAlklUW8ACgkQ9RsYxyAk
giTsuA//cg/5KWakTIg6dqlG5S+lrFR1fSvcPfRacyyw6Y1vGG3XsRZLs8tK0ThL
t09f45fLR7ov/JhxJgAGq3fCu7zmI2CY5i1nd5kiUByyUAHmCnU79khC59//ombY
9yOeJIeRaaln4vaRegTcYzF3yFBmoe0zTpaHdmYy+9PXuwAmyv7BsbbEjrAKM7Of
rmtC9FEqjIMX6Nto7E+Srz0LOcMVrkSkNk7CwLw6pI+ZUBrJOk5R3kgHPUjo/VDS
gM5tnetGa76tIDxN+4y1Mk2ve+mGoW8JfSdMIQ7x8untBleLtDRddnJPRdgnly5R
zPggesHAGeeDcaMALUxXcC6mq1LiOMA9gykVONDxQJ7lALTooCukFzm7kf7Y4Fmv
sXUP6Lk6Wy2EcDi1j1pXMKMGDoqghsd2IN8N5aOSvYGVeM87zQksDVZ9hopCKh/3
IpNfcs2gFl/NbEkKDm6vXKEuFoV4aMukUyaRRjneqYpwXd/OVkZgI4IQG5/Ppnv2
tDkurA/r8kg0mMKar4GXUAbsMnIXiIIqpsKMzzzShFieY7LSdS0q/grLm8GQJfrV
eojdSEIV2yz2+0opPoHe3RRuM2XP/1bAMLWzhRiC5dgXWwhyakLruatG0P7LmNQO
h5FPpDmpdmTc9HoibwokSlfF0/vk0mfKLdkEtObhNrn0E2dHbXc=
=fojS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:29:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:48:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon