Issue #9790 has been updated by Daniel Pittman. Assignee deleted (Daniel Pittman)
---------------------------------------- Bug #9790: TOCTOU vulnerability in ssh_authorized_keys. https://projects.puppetlabs.com/issues/9790#change-92258 * Author: Daniel Pittman * Status: Closed * Priority: Normal * Assignee: * Category: security * Target version: 2.6.11 * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- There was a TOCTOU vulnerability in ssh_authorized_keys, and theoretically in the Solaris and AIX providers, where file ownership was given away before it was written. This was bad, because it allowed a user to overwrite arbitrary files as root, if their authorized_keys file was managed. Credit to Ricky Zhou <[email protected]> for the discovery and fix. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
