advisories/10568.adv

type: security
subject: Updated puppet packages fix remote code execution vulnerability
CVE:
 - CVE-2013-3567
src:
  2:
   core:
     - puppet-2.7.22-1.mga2
  3:
   core:
     - puppet-2.7.22-1.mga3
     - puppet3-3.2.2-1.mga3
description: |
  When making REST api calls, the puppet master takes YAML from an untrusted
  client, deserializes it, and then calls methods on the resulting object.
  A YAML payload can be crafted to cause the deserialization to construct
  an instance of any class available in the ruby process, which allows an
  attacker to execute code contained in the payload.
references:
 - http://puppetlabs.com/security/cve/cve-2013-3567/
 - http://www.ubuntu.com/usn/usn-1886-1/
ID: MGASA-2013-0187
1	boklm	61	type: security
2			subject: Updated puppet packages fix remote code execution vulnerability
3			CVE:
4			- CVE-2013-3567
5			src:
6			2:
7			core:
8			- puppet-2.7.22-1.mga2
9			3:
10			core:
11			- puppet-2.7.22-1.mga3
12	boklm	63	- puppet3-3.2.2-1.mga3
13	boklm	61	description: \|
14			When making REST api calls, the puppet master takes YAML from an untrusted
15			client, deserializes it, and then calls methods on the resulting object.
16			A YAML payload can be crafted to cause the deserialization to construct
17			an instance of any class available in the ruby process, which allows an
18			attacker to execute code contained in the payload.
19			references:
20			- http://puppetlabs.com/security/cve/cve-2013-3567/
21	boklm	62	- http://www.ubuntu.com/usn/usn-1886-1/
22	boklm	99	ID: MGASA-2013-0187