All, In the last few weeks, several serious security vulnerabilities have been disclosed in components of Ruby on Rails, Rack, the JSON rubygem, Ruby 1.9, and certain cryptographic protocols used in OpenSSL. These include CVE-2013-0276, CVE-2013-0277, CVE-2013-0263, CVE-2013-0269, CVE-2013-0169, CVE-2012-6496, CVE-2012-6497, CVE-2013-0155, and CVE-2013-0156, and the list goes on.
CVE details on all of these vulnerabilities can be found at the Mitre website, using the CVE number as the search query, e.g.: http://cve.mitre.org/cgi-bin/cvename.cgi?name=<cve-num> Puppet Labs has provided or is in the process of generating hotfixes and patch releases for our products that are affected by these vulnerabilities, which we strongly urge all users to update to as soon as possible. All security announcements for Puppet software are sent to the Puppet-Announce mailing list. To follow security releases and our other software announcements, join at groups.google.com/group/puppet-announce. This is just a friendly, if not urgent, reminder to all the Puppet users that if you are using Ruby on Rails, Rack, JSON, and/or OpenSSL outside of our products or in tandem with them in some way (e.g. Puppet ActiveRecord-based storeconfigs), it is critical to update your installations to the latest patch versions of this software. These recent CVEs are no trifle. They are serious vulnerabilities with massive potential attack payloads, including arbitrary code execution, SQL injection, and the like (e.g. "all your hosts are belong to me"). Regards, Moses Mendoza Release Engineering, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
