USN-917-1: Puppet vulnerabilities

24 March 2010

puppet vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10

Software Description

  • puppet

Details

It was discovered that Puppet did not drop supplementary groups when being run as a different user. A local user may be able to use this flaw to bypass security restrictions and gain access to restricted files. (CVE-2009-3564)

It was discovered that Puppet did not correctly handle temporary files. A local user can exploit this flaw to bypass security restrictions and overwrite arbitrary files. (CVE-2010-0156)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
puppet - 0.24.8-2ubuntu4.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References