This release of Puppet Dashboard addresses CVE-2013-0277 and CVE-2013-0269. These are vulnerabilities that affect Ruby on Rails, specifically around YAML serialization and JSON handling. They expose vulnerable systems to SQL Injection, Denial of Service Attacks, and arbitrary YAML deserialization.
Additionally, CVE-2013-0276 and CVE-2013-0263 affect vendored components of Puppet Dashboard, but by default Puppet Dashboard does not interact with them in a way that exposes it to these vulnerabilities. Nevertheless, this release of Puppet Dashboard addresses these CVEs as well. Detailed information on the CVEs can be found at these URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0263 Downloads ======== RPM packages for are available at https://yum.puppetlabs.com/el or /fedora Debian packages are available at https://apt.puppetlabs.com Source can be downloaded from https://puppetlabs.com/downloads/dashboard/puppet-dashboard-1.2.22.tar.gz, along with the accompanying signature file, https://puppetlabs.com/downloads/dashboard/puppet-dashboard-1.2.22.tar.gz.asc. See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Changelog ======== Nick Lewis (4): efab99d Upgrade to Rails 2.3.17 d2ae98f Upgrade to rack 1.1.6 90f2ca6 Upgrade json_pure to 1.5.5 2128ed8 Fix failing test due to new HTML-escaping rules -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To post to this group, send email to puppet-dev@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-dev?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
