advisories/10568.adv

type: security
subject: Updated puppet packages fix remote code execution vulnerability
CVE:
 - CVE-2013-3567
src:
  2:
   core:
     - puppet-2.7.22-1.mga2
  3:
   core:
     - puppet-2.7.22-1.mga3
description: |
  When making REST api calls, the puppet master takes YAML from an untrusted
  client, deserializes it, and then calls methods on the resulting object.
  A YAML payload can be crafted to cause the deserialization to construct
  an instance of any class available in the ruby process, which allows an
  attacker to execute code contained in the payload.
references:
 - http://puppetlabs.com/security/cve/cve-2013-3567/
 - http://www.ubuntu.com/usn/usn-1886-1/
1	boklm	61	type: security
2			subject: Updated puppet packages fix remote code execution vulnerability
3			CVE:
4			- CVE-2013-3567
5			src:
6			2:
7			core:
8			- puppet-2.7.22-1.mga2
9			3:
10			core:
11			- puppet-2.7.22-1.mga3
12			description: \|
13			When making REST api calls, the puppet master takes YAML from an untrusted
14			client, deserializes it, and then calls methods on the resulting object.
15			A YAML payload can be crafted to cause the deserialization to construct
16			an instance of any class available in the ruby process, which allows an
17			attacker to execute code contained in the payload.
18			references:
19			- http://puppetlabs.com/security/cve/cve-2013-3567/
20	boklm	62	- http://www.ubuntu.com/usn/usn-1886-1/