advisories/10568.adv

type: security
subject: Updated puppet packages fix remote code execution vulnerability
CVE:
 - CVE-2013-3567
src:
  2:
   core:
     - puppet-2.7.22-1.mga2
  3:
   core:
     - puppet-2.7.22-1.mga3
description: |
  When making REST api calls, the puppet master takes YAML from an untrusted
  client, deserializes it, and then calls methods on the resulting object.
  A YAML payload can be crafted to cause the deserialization to construct
  an instance of any class available in the ruby process, which allows an
  attacker to execute code contained in the payload.
references:
 - http://puppetlabs.com/security/cve/cve-2013-3567/
 - http://www.ubuntu.com/usn/usn-1886-1/
1	type: security
2	subject: Updated puppet packages fix remote code execution vulnerability
3	CVE:
4	- CVE-2013-3567
5	src:
6	2:
7	core:
8	- puppet-2.7.22-1.mga2
9	3:
10	core:
11	- puppet-2.7.22-1.mga3
12	description: \|
13	When making REST api calls, the puppet master takes YAML from an untrusted
14	client, deserializes it, and then calls methods on the resulting object.
15	A YAML payload can be crafted to cause the deserialization to construct
16	an instance of any class available in the ruby process, which allows an
17	attacker to execute code contained in the payload.
18	references:
19	- http://puppetlabs.com/security/cve/cve-2013-3567/
20	- http://www.ubuntu.com/usn/usn-1886-1/