Puppet Dashboard 1.2.18 is now available. This release of Puppet Dashboard addresses CVE 2013-0156. All users are strongly encouraged to update when possible.
CVE-2013-0156 affects Ruby on Rails, specifically in all versions of ActionPack. The vulnerability exposes Rails to arbitrary SQL Injection. More information on the vulnerability can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156 Downloads ======== RPM packages for are available at https://yum.puppetlabs.com/el or /fedora Debian packages are available at https://apt.puppetlabs.com Source can be downloaded from https://puppetlabs.com/downloads/dashboard/puppet-dashboard-1.2.18.tar.gz, along with the accompanying signature file, https://puppetlabs.com/downloads/dashboard/puppet-dashboard-1.2.18.tar.gz.asc. See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet 1.2.18 Security Fixes ================ Matthaus Owens (2): 6aa4294 Apply suggested workaround for CVE-2013-0156 as Dashboard does not use xml parameter parsing. 683edda Update CHANGELOG, VERSION for 1.2.18 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
