advisories/10568.adv

type: security
subject: Updated puppet packages fix remote code execution vulnerability
CVE:
 - CVE-2013-3567
src:
  2:
   core:
     - puppet-2.7.22-1.mga2
  3:
   core:
     - puppet-2.7.22-1.mga3
     - puppet3-3.2.2-1.mga3
description: |
  When making REST api calls, the puppet master takes YAML from an untrusted
  client, deserializes it, and then calls methods on the resulting object.
  A YAML payload can be crafted to cause the deserialization to construct
  an instance of any class available in the ruby process, which allows an
  attacker to execute code contained in the payload.
references:
 - http://puppetlabs.com/security/cve/cve-2013-3567/
 - http://www.ubuntu.com/usn/usn-1886-1/
ID: MGASA-2013-0187
1	type: security
2	subject: Updated puppet packages fix remote code execution vulnerability
3	CVE:
4	- CVE-2013-3567
5	src:
6	2:
7	core:
8	- puppet-2.7.22-1.mga2
9	3:
10	core:
11	- puppet-2.7.22-1.mga3
12	- puppet3-3.2.2-1.mga3
13	description: \|
14	When making REST api calls, the puppet master takes YAML from an untrusted
15	client, deserializes it, and then calls methods on the resulting object.
16	A YAML payload can be crafted to cause the deserialization to construct
17	an instance of any class available in the ruby process, which allows an
18	attacker to execute code contained in the payload.
19	references:
20	- http://puppetlabs.com/security/cve/cve-2013-3567/
21	- http://www.ubuntu.com/usn/usn-1886-1/
22	ID: MGASA-2013-0187