SUSE-SU-2018:0600-1: moderate: Security update for puppet

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Mar 5 07:07:28 MST 2018


   SUSE Security Update: Security update for puppet
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:0600-1
Rating:             moderate
References:         #1040151 #1077767 
Cross-References:   CVE-2017-2295
Affected Products:
                    SUSE Linux Enterprise Server 11-SP4
______________________________________________________________________________

   An update that solves one vulnerability and has one errata
   is now available.

Description:

   This update for puppet fixes the following issues:

   - CVE-2017-2295: Fixed a security vulnerability where an attacker could
     force YAML deserialization in an unsafe manner, which would lead to
     remote code execution.

   In default, this update would break a backwards compatibility with Puppet
   agents older than 3.2.2 as the SLE11 master doesn't support other fact
   formats than pson in default anymore. In order to allow users to continue
   using their SLE11 agents a patch was added that enables sending PSON from
   agents.

   For non-SUSE clients older that 3.2.2 a new puppet master boolean option
   "dangerous_fact_formats" was added. When it's set to true it enables using
   dangerous fact formats (e.g. YAML). When it's set to false, only PSON fact
   format is accepted. (bsc#1040151), (bsc#1077767)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP4:

      zypper in -t patch slessp4-puppet-13498=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      puppet-2.7.26-0.5.3.1
      puppet-server-2.7.26-0.5.3.1


References:

   https://www.suse.com/security/cve/CVE-2017-2295.html
   https://bugzilla.suse.com/1040151
   https://bugzilla.suse.com/1077767



More information about the sle-security-updates mailing list