Puppet 3.6.2 is a security and bug fix release in the Puppet 3.6 series. This release addresses CVE-2014-3248 and CVE-2014-3250.
** CVE-2014-3248 ** Arbitrary Code Execution with Required Social Engineering An attacker could convince an administrator to unknowingly create and execute malicious code on platforms with Ruby 1.9.1 and earlier. CVSSv2 Score: 5.2 Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C Affected Puppet versions (ruby 1.9.1 and earlier platforms only): All Fixed Puppet versions: 3.6.2 2.7.26* ** CVE-2014-3250 ** Information Leakage Vulnerability In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl, which defaults it to none and must be explicitly configured. This setting enables checking of a certificate revocation list. The default Puppet master vhost config shipped with Puppet does not include this setting. If a Puppet master is set up to run with Apache 2.4, and this default vhost configuration file is used, the Puppet master will continue to honor a host's certificate even after it is revoked. CVSSv2 Score: 3.1 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C Affected Puppet versions: All (must be configured as a master behind Apache 2.4 using the default puppet master vhost). Fixed Puppet versions: 3.6.2 For more information on these vulnerabilities, please visit https://puppetlabs.com/security/cve/cve-2014-3248 https://puppetlabs.com/security/cve/cve-2014-3250 ## Bug Fixes Chatty warning/deprecation messages can now be suppressed – as we near the end of the 3.x series, there's going to be a slew of deprecations coming which need to be visible so everyone knows what's going to change, but some messages trigger tons of log spam, so now it's possible to turn them off. Directory environments under webrick now work; they no longer fail with "Attempted to pop, but already at root of the context stack" errors. A memory leak in loading functions was fixed. Community shout-out for this release goes to Joshua Hoblitt for testing the memory leak patch and providing awesome usage graphs (PUP-2692). Please read through the Release Notes for the full list of changes: http://docs.puppetlabs.com/puppet/latest/reference/release_notes.html To install Puppet, follow the Installation Guide:http://docs.puppetlabs.com/guides/install_puppet/pre_install.html To report issues with the release, file a ticket in the “PUP” project on https://tickets.puppetlabs.com/ and set the “Affects version/s” field to "3.6.2”. * The Puppet 2.7.x series is officially end of life, but continues to be maintained by community members. See the release announcement to puppet-announce/puppet-users/puppet-dev regarding Puppet 2.7.26. -- Moses Mendoza Puppet Labs Join us at PuppetConf 2014, September 20-24 in San Francisco Register by July 31st to take advantage of the Early Bird discount —save $249! -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CA%2B421WZmCRv7JGSQdeJ_Spqfn6H87%3DKOMFGt%3DVwRsnQBxcRwfA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
