Several security issues were fixed in Puppet.
It was discovered that Puppet agents incorrectly handled certain kick connections in a non-default configuration. An attacker on an authenticated client could use this issue to possibly execute arbitrary code. (CVE-2013-1653)
12 March 2013
A security issue affects these releases of Ubuntu and its derivatives:
Several security issues were fixed in Puppet.
It was discovered that Puppet agents incorrectly handled certain kick connections in a non-default configuration. An attacker on an authenticated client could use this issue to possibly execute arbitrary code. (CVE-2013-1653)
It was discovered that Puppet incorrectly handled certain catalog requests. An attacker on an authenticated client could use this issue to possibly execute arbitrary code on the master. (CVE-2013-1640)
It was discovered that Puppet incorrectly handled certain client requests. An attacker on an authenticated client could use this issue to possibly perform unauthorized actions. (CVE-2013-1652)
It was discovered that Puppet incorrectly handled certain SSL connections. An attacker could use this issue to possibly downgrade connections to SSLv2. (CVE-2013-1654)
It was discovered that Puppet incorrectly handled serialized attributes. An attacker on an authenticated client could use this issue to possibly cause a denial of service, or execute arbitrary. (CVE-2013-1655)
It was discovered that Puppet incorrectly handled submitted reports. An attacker on an authenticated node could use this issue to possibly submit a report for any other node. (CVE-2013-2275)
The problem can be corrected by updating your system to the following package versions:
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
Vulmon