ALAS-2012-075


Amazon Linux 1 Security Advisory: ALAS-2012-75
Advisory Release Date: 2012-05-08 23:13 Pacific
Advisory Updated Date: 2014-09-14 16:09 Pacific
Severity: Medium

Issue Overview:

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.


Affected Packages:

puppet


Issue Correction:
Run yum update puppet to update your system.

New Packages:
i686:
    puppet-debuginfo-2.6.16-1.6.amzn1.i686
    puppet-2.6.16-1.6.amzn1.i686
    puppet-server-2.6.16-1.6.amzn1.i686

src:
    puppet-2.6.16-1.6.amzn1.src

x86_64:
    puppet-debuginfo-2.6.16-1.6.amzn1.x86_64
    puppet-2.6.16-1.6.amzn1.x86_64
    puppet-server-2.6.16-1.6.amzn1.x86_64