ALAS-2012-075


Amazon Linux AMI Security Advisory: ALAS-2012-75
Advisory Release Date: 2014-09-14 16:09 Pacific
Severity: Medium
References: CVE-2012-1986 

Issue Overview:

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.


Affected Packages:

puppet


Issue Correction:
Run yum update puppet to update your system.

New Packages:
i686:
    puppet-debuginfo-2.6.16-1.6.amzn1.i686
    puppet-2.6.16-1.6.amzn1.i686
    puppet-server-2.6.16-1.6.amzn1.i686

src:
    puppet-2.6.16-1.6.amzn1.src

x86_64:
    puppet-debuginfo-2.6.16-1.6.amzn1.x86_64
    puppet-2.6.16-1.6.amzn1.x86_64
    puppet-server-2.6.16-1.6.amzn1.x86_64