Puppet 2.6.18 is now available. 2.6.18 addresses several security vulnerabilities discovered in the 2.6.x line of Puppet. These vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640, CVE-2013-1652, CVE-2013-1654, CVE-2013-2274, and CVE-2013-2275.
All users of Puppet 2.6.17 and earlier who cannot upgrade to the current version of Puppet, 3.1.1, are strongly encouraged to upgrade to 2.6.18. For more information on these vulnerabilities, please visit http://puppetlabs.com/security, or visit http://puppetlabs.com/security/cve/cve-2013-1640, http://puppetlabs.com/security/cve/cve-2013-1652, http://puppetlabs.com/security/cve/cve-2013-1654, http://puppetlabs.com/security/cve/cve-2013-2274, and http://puppetlabs.com/security/cve/cve-2013-2275. Downloads are available at: * Source https://downloads.puppetlabs.com/puppet/puppet-2.6.18.tar.gz RPMs are available at https://yum.puppetlabs.com/el or /fedora Debs are available at https://apt.puppetlabs.com See the Verifying Puppet Download section at: https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.6.18: http://projects.puppetlabs.com/projects/puppet/ ## Changelog ## Andrew Parker (2): f45cd4b (#14093) Remove unsafe attributes from TemplateWrapper d9ad70a (#14093) Restore access to the filename in the template Daniel Pittman (2): 31dad7d (#8858) Refactor tests to use real HTTP objects 906ab92 (#8858) Explicitly set SSL peer verification mode. Jeff McCune (2): add9998 (#19151) Reject SSLv2 SSL handshakes and ciphers 16fce8e (#19531) (CVE-2013-2275) Only allow report save from the node matching the certname Josh Cooper (8): 7648de2 (#19391) Backport Request#remote? method 75a5f7e Run openssl from windows when trying to downgrade master e617728 Remove unnecessary rubygems require f07b761 Don't assume puppetbindir is defined a11a690 Display SSL messages so we can match our regex bb288aa Don't require openssl client to return 0 on failure f256c6d Don't assume master supports SSLv2 b166c4f (#19391) Find the catalog for the specified node name Justin Stoller (2): b01c728 Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654, 2274, 2275) e6b6124 Separate tests for same CVEs into separate files Matthaus Owens (1): 3ec5d5c Update CHANGELOG, lib/puppet.rb, conf/redhat/puppet.spec for 2.6.18 Nick Lewis (2): 66249d4 Always read request body when using Rack bdcf029 Fix order-dependent test failure in rest_authconfig_spec Patrick Carlisle (4): ccf2e4c (#19391) (CVE-2013-1652) Disallow use_node compiler parameter for remote requests 6a7bd25 (#19392) (CVE-2013-1653) Validate instances passed to indirector ac44d87 (#19392) (CVE-2013-1653) Validate indirection model in save handler d5c9a2c (#19392) (CVE-2013-1653) Fix acceptance test to catch unvalidated model on 2.6 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To post to this group, send email to puppet-dev@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-dev?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
