1 |
type: security |
2 |
subject: Updated puppet packages fix remote code execution vulnerability |
3 |
CVE: |
4 |
- CVE-2013-3567 |
5 |
src: |
6 |
2: |
7 |
core: |
8 |
- puppet-2.7.22-1.mga2 |
9 |
3: |
10 |
core: |
11 |
- puppet-2.7.22-1.mga3 |
12 |
- puppet3-3.2.2-1.mga3 |
13 |
description: | |
14 |
When making REST api calls, the puppet master takes YAML from an untrusted |
15 |
client, deserializes it, and then calls methods on the resulting object. |
16 |
A YAML payload can be crafted to cause the deserialization to construct |
17 |
an instance of any class available in the ruby process, which allows an |
18 |
attacker to execute code contained in the payload. |
19 |
references: |
20 |
- http://puppetlabs.com/security/cve/cve-2013-3567/ |
21 |
- http://www.ubuntu.com/usn/usn-1886-1/ |
22 |
ID: MGASA-2013-0187 |