back to article Remote code execution vuln appears in Puppet

Puppet Labs has blasted out a security advisory about a vulnerability in the popular infrastructure management tool Puppet. The CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability) warning was issued by Puppet Labs on Tuesday, and advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later, and paid-for …

COMMENTS

This topic is closed for new posts.
Silver badge

What the fail?

Let me get this straight: Code designed to execute arbitrary code executes arbitrary code. Did I miss a meeting? Does the fix involve, stopping arbitrary code from executing? Who is doing security walk-throughs or auditing this stuff?

0
0

why bother?

admittedly the press release itself is annoyingly non-specific, but that's no excuse for just republishing it verbatim merely wrapped with a few excerpts from puppet's about us page. in the future just link to the press release and the company's wikipedia page.

0
0
Bronze badge
Childcatcher

Re: why bother?

...that's no excuse for just republishing [the press release] verbatim...

Clearly that is not all that was done here. For added value, we have information about and a link to a competitor's product.

Also, why not a mention that they gave credit to the person who discovered the flaw as this is a theme in security research these days? Did the company pay a bounty on this or is a mention on the web site the best they can do?

0
0
Silver badge
Joke

So is Puppet Labs really now a bunch of muppets?

3
0

Meh!

Any config management system should be on a management only subnet & not visible to the world or even to the local infrastructure

Still ... looks like I'll be doing a round of systems patching today :)

0
0
Gold badge

Puppet, patch thyself.

2
0

Puppet 2.6?

The Registers says Puppet Labs "advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later", but there's nothing about "all users" on the Puppet Labs site, and the mailing list announcement says the issue is with the 2.7 series:

https://groups.google.com/forum/?fromgroups#!topic/puppet-announce/zt0O6FtUT3c

So is 2.6 OK?

0
0

My Dreams are shattered

I don't understand Puppet is Open Source, a Panacea, the answer to all the worlds ills.

How can it possibly have any flaw let alone a security vulnerability?

My hopes & dreams lie in tatters.....

1
1
This topic is closed for new posts.

Forums