Security Information / 2011 / Security Information -- DSA-2352-1 puppet

Debian Security Advisory

DSA-2352-1 puppet -- programming error

Date Reported:

22 Nov 2011

Affected Packages:

puppet

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2011-3872.

More information:

It was discovered that Puppet, a centralized configuration management solution, misgenerated certificates if the certdnsnames option was used. This could lead to man in the middle attacks. More details are available on the Puppet web site.

For the oldstable distribution (lenny), this problem has been fixed in version 0.24.5-3+lenny2.

For the stable distribution (squeeze), this problem has been fixed in version 2.6.2-5+squeeze3.

For the unstable distribution (sid), this problem has been fixed in version 2.7.6-1.

We recommend that you upgrade your puppet packages.