当前位置: 主页 > 业内 >

Puppet 3.2.2/2.7.22紧急发布,修复安全漏洞

时间:2013-06-20 09:08来源:www.oschina.net 作者:admin 点击:
Puppet紧急发布3.2.2/2.7.22正式版。2013-06-19上个版本是2013-05-23的3.2.1 只修复一个安全漏洞CVE-2013-3567 Unauthenticated Remote Code Execution Vulnerability. 具体说明 CVE-2013-3567 Unauthenticated Remote Code Execu
欢迎大家分享自己的文档,请点击查阅:分享方法,Linux系统运维
如果你喜欢这文章,可以点击文章结尾处百度分享,分享到你的各种社区收藏,或推荐给朋友……


 

Puppet紧急发布3.2.2/2.7.22正式版。2013-06-19上个版本是2013-05-23的3.2.1 只修复一个安全漏洞CVE-2013-3567 Unauthenticated Remote Code Execution Vulnerability.

具体说明

CVE-2013-3567 Unauthenticated Remote Code Execution Vulnerability.

 

Overview

CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability)

  • Posted June 18, 2013

When making REST api calls, the puppet master takes YAML from an untrusted
client, deserializes it, and then calls methods on the resulting object. A YAML
payload can be crafted to cause the deserialization to construct an instance of
any class available in the ruby process, which allows an attacker to execute
code contained in the payload.

Status

  • Resolved in Puppet 2.7.22, 3.2.2
  • Resolved in Puppet Enterprise 2.8.2

Credits

 

Credit to Ben Murphy for the responsible disclosure of this vulnerability.
 

A critical vulnerability was found in puppet wherein it was possible for the puppet master to take YAML from an untrusted client via the REST API. This YAML could be deserialized to construct an object containing arbitrary code.

下载地址:
http://downloads.puppetlabs.com/puppet/puppet-3.2.2.tar.gz

http://downloads.puppetlabs.com/puppet/puppet-2.7.22.tar.gz
 

Puppet,您可以集中管理每一个重要方面,您的系统使用的是跨平台的规范语言,管理所有的单独的元素通常聚集在不同的文件,如用户, CRON作业,和主机一起显然离散元素,如包装,服务和文件。

Puppet的简单陈述规范语言的能力提供了强大的classing制定了主机之间的相似之处,同时使他们能够提供尽可能具体的必要的,它依赖的先决条件和对象之间的关系清楚和明确。

转载请注明linux系统运维
http://www.linuxyw.com/linux/yenei/2013/0620/578.html

------分隔线----------------------------
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
验证码: 点击我更换图片