Amazon Linux 1 Security Advisory: ALAS-2012-75
Advisory Release Date: 2012-05-08 23:13 Pacific
Advisory Updated Date: 2014-09-14 16:09 Pacific
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.
Affected Packages:
puppet
Issue Correction:
Run yum update puppet to update your system.
i686:
puppet-debuginfo-2.6.16-1.6.amzn1.i686
puppet-2.6.16-1.6.amzn1.i686
puppet-server-2.6.16-1.6.amzn1.i686
src:
puppet-2.6.16-1.6.amzn1.src
x86_64:
puppet-debuginfo-2.6.16-1.6.amzn1.x86_64
puppet-2.6.16-1.6.amzn1.x86_64
puppet-server-2.6.16-1.6.amzn1.x86_64