Bug#952925: marked as done (CVE-2018-11751)

Mon, 11 May 2020 12:03:47 -0700 

Your message dated Mon, 11 May 2020 11:59:29 -0700
with message-id 
<cafcc3et1pvznrauxcj8l4lje8zrrrzbsxsp5nyjf46uoyyn...@mail.gmail.com>
and subject line Re: CVE-2018-11751
has caused the Debian Bug report #952925,
regarding CVE-2018-11751
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
952925: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952925
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: puppet
Severity: important

Please see
https://puppet.com/security/cve/CVE-2018-11751/
https://tickets.puppetlabs.com/browse/PUP-9459
https://github.com/puppetlabs/puppet/commit/b49c11b6425738441d6f33285d2630fa434a123e

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
Control: notfound -1 5.5.10-4

Good news! The upstream advisory:
  https://puppet.com/security/cve/CVE-2018-11751/
indicates this vulnerability does not apply to any version that's ever
been in Debian.

Specifically, although the free-form description text reads in general terms:
> Previous versions of Puppet Agent didn't verify the peer
> in the SSL connection prior to downloading the CRL.
> This issue is resolved in Puppet Agent 6.4.0.

the section "Affected software versions" refers specifically to the 6.x series:
> Affected software versions:
> * Puppet 6.x prior to 6.4.0
> * Puppet Agent 6.x prior to 6.4.0

The versions in buster, bullseye, and sid are all from the 5.5.x
series, so they are apparently not affected. Good thing, too, because
upstream does still support the 5.5.x series (until 2020-11 -- see
#950182). For a bug like this one it'd be remarkably bad practice if
they were to leave it known and unfixed there.

Cheers,
Greg

--- End Message ---

Reply via email to