We have discovered a security vulnerability (“AltNames Vulnerability”) whereby a malicious attacker can impersonate the Puppet master using credentials from a Puppet agent node. This vulnerability cannot cross Puppet deployments, but it can allow an attacker with elevated privileges on one Puppet-managed node to gain control of any other Puppet-managed node within the same infrastructure.
All Puppet Enterprise deployments are vulnerable, and Puppet open source deployments may be, depending upon their site configuration. We believe this to be a serious risk, and we have confirmed this with security experts outside of Puppet Labs. For more information we have the following resources: * Blog Post with all the details: http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/ * Security links and details: http://puppetlabs.com/security/cve/cve-2011-3872/ * Remediation module: http://links.puppetlabs.com/cve20113872_remediation As a result of this vulnerability (CVE-2011-3872) we have released new version of Puppet. * 2.6.12 * 2.7.6 We will be sending separate announcements about each of those releases. Michael Stahnke Release Manager - Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.