hiera: code execution from the current directory
Bug #1470417 reported by
Alexei Sheplyakov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Triaged
|
Medium
|
Fuel for Openstack | ||
8.0.x |
Won't Fix
|
Medium
|
MOS Ceph | ||
Mitaka |
Triaged
|
Medium
|
Fuel for Openstack |
Bug Description
Platforms running Ruby 1.9.1 or earlier would load Ruby source files from the current working directory during
a Hiera lookup. This could lead to the execution of arbitrary code.
Affected versions: hiera < 1.3.4 (version in MOS 7.0, 6.1 is 1.3.1)
https:/
Suggested solution: upgrade to hiera 1.3.4 which contains a fix. Besides it provides a substantial speed increase for lookups compared to Hiera 1.3.[21]
CVE References
Changed in fuel: | |
assignee: | nobody → MOS Linux (mos-linux) |
status: | New → Triaged |
Changed in fuel: | |
assignee: | MOS Linux (mos-linux) → Alexei Sheplyakov (asheplyakov) |
tags: | added: area-linux |
tags: |
added: mos-linux removed: area-linux |
tags: | added: area-mos |
To post a comment you must log in.
puppet 3.4.3, mcollective 2.3.3 are affected too. Upgrading only hiera makes little sense, and upgrading puppet
and mcollective this late is way too risky. Moving to 8.0