Puppet£¬ÊÇ»ùÓÚRubyµÄÒ»¸ö¹¤¾ß£¬¿ÉÒÔ¼¯ÖйÜÀíÿһ¸öÖØÒª·½Ã棬ʹÓõÄÊÇ¿çƽ̨µÄ¹æ·¶ÓïÑÔ£¬¹ÜÀíËùÓе¥¶ÀµÄÔªËØ£¬Í¨³£¾Û¼¯ÔÚ²»Í¬µÄÎļþ£¬ÈçÓû§£¬ CRON×÷Òµ£¬ºÍÖ÷»úÒ»ÆðµÄÀëÉ¢ÔªËØ£¬Èç°ü×°£¬·þÎñºÍÎļþ¡£
PuppetµÄ¼òµ¥³ÂÊö¹æ·¶ÓïÑÔµÄÄÜÁ¦ÌṩÁËÇ¿´óµÄclassingÖƶ¨ÁËÖ÷»úÖ®¼äµÄÏàËÆÖ®´¦£¬Í¬Ê±Ê¹ËûÃÇÄܹ»Ìṩ¾¡¿ÉÄܾßÌåµÄ±ØÒªµÄ£¬ËüÒÀÀµµÄÏȾöÌõ¼þºÍ¶ÔÏóÖ®¼äµÄ¹ØϵÇå³þ¶øÃ÷È·¡£
Puppet·¢²¼3.2.4/2.7.23Õýʽ°æ¡£2013-08-16Éϸö°æ±¾ÊÇ2013-07-16µÄ3.2.3ÆäËû²úÆ·Ïß3.1.1 3.0.2 2.6.18 ½ô¼±ÐÞ¸´2¸ö°²È«Â©¶´ CVE-2013-4761ºÍCVE-2013-4956¡£
·¢²¼ÉùÃ÷£º
Puppet 3.2.4
Released August 15, 2013.
3.2.4 is a security fix release of the Puppet 3.2 series. It has no other bug fixes or new features.
Security Fixes
CVE-2013-4761 (resource_typeRemote Code Execution Vulnerability)
By using theresource_typeservice, an attacker could cause Puppet to load arbitrary Ruby files from the puppet master server¡¯s file system. While this behavior is not enabled by default,auth.confsettings could be modified to allow it. The exploit requires local file system access to the Puppet Master.
CVE-2013-4956 (Puppet Module Permissions Vulnerability)
The puppet module subcommand did not correctly control permissions of modules it installed, instead transferring permissions that existed when the module was built.
ÏÂÔØ£ºhttp://downloads.puppetlabs.com/puppet/puppet-3.2.4.tar.gz
http://downloads.puppetlabs.com/puppet/puppet-2.7.23.tar.gz
À´×Ô:¿ªÔ´ÖйúÉçÇø
