Puppet Labs has blasted out a security advisory about a vulnerability in the popular infrastructure management tool Puppet. The CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability) warning was issued by Puppet Labs on Tuesday, and advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later, and paid-for …
What the fail?
Let me get this straight: Code designed to execute arbitrary code executes arbitrary code. Did I miss a meeting? Does the fix involve, stopping arbitrary code from executing? Who is doing security walk-throughs or auditing this stuff?
admittedly the press release itself is annoyingly non-specific, but that's no excuse for just republishing it verbatim merely wrapped with a few excerpts from puppet's about us page. in the future just link to the press release and the company's wikipedia page.
Re: why bother?
...that's no excuse for just republishing [the press release] verbatim...
Clearly that is not all that was done here. For added value, we have information about and a link to a competitor's product.
Also, why not a mention that they gave credit to the person who discovered the flaw as this is a theme in security research these days? Did the company pay a bounty on this or is a mention on the web site the best they can do?
So is Puppet Labs really now a bunch of muppets?
Any config management system should be on a management only subnet & not visible to the world or even to the local infrastructure
Still ... looks like I'll be doing a round of systems patching today :)
Puppet, patch thyself.
The Registers says Puppet Labs "advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later", but there's nothing about "all users" on the Puppet Labs site, and the mailing list announcement says the issue is with the 2.7 series:
So is 2.6 OK?
My Dreams are shattered
I don't understand Puppet is Open Source, a Panacea, the answer to all the worlds ills.
How can it possibly have any flaw let alone a security vulnerability?
My hopes & dreams lie in tatters.....