Puppet Server 0.2.1 is a security release. This release addresses CVE-2014-7170. All users of Puppet Server are encouraged to upgrade as soon as possible.
** CVE-2014-7170 ** Local information leakage Due to a packaging bug[1], there is a window between package installation/upgrade and service start where privileged data is accessible to non-privileged local users. CVSS v2 Score: 2.0 (low severity) [2] CVSS v2 Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C) Thanks to Dominic Cleal for responsibly disclosing this issue to us. Reminder: As the version number 0.2.1 should imply, Puppet Server is not production ready (yet), but please do try it out in your favorite sandbox. Additionally, the API will not be considered fully stable until Puppet Server reaches 1.0.0. Install Puppet Server from packages: https://github.com/puppetlabs/puppet-server/blob/puppet-server-0.2.1/documentation/install_from_packages.markdown Submit issues to: https://tickets.puppetlabs.com/browse/SERVER Source: https://github.com/puppetlabs/puppet-server [1] - https://tickets.puppetlabs.com/browse/SERVER-9 [2] - http://nvd.nist.gov/cvss.cfm -- Matthaus Owens Puppet Labs Join us at PuppetConf 2014, September 20-24 in San Francisco - www.puppetconf.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACD%3DwAcVwyh7w%3Dkm%2B-FFssSitXb0HPtm-psck%3DD9aLN27i2ckw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
