Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2013-3567

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Related bugs and status

CVE-2013-3567 (Candidate) is related to these bugs:

Bug #1192367: No security release provided in Lucid for CVE-2013-3567

Summary				In	Importance	Status
	1192367	No security release provided in Lucid for CVE-2013-3567		puppet (Ubuntu)	Undecided	Won't Fix

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://puppetlabs.com...
SUSE: SUSE-SU-2013:1304
UBUNTU: USN-1886-1
SECUNIA: 54429
DEBIAN: DSA-2715
SUSE: openSUSE-SU-2013:1370
REDHAT: RHSA-2013:1283
REDHAT: RHSA-2013:1284