ALAS-2013-213


Amazon Linux 1 Security Advisory: ALAS-2013-213
Advisory Release Date: 2013-07-12 15:57 Pacific
Advisory Updated Date: 2014-09-15 23:18 Pacific
Severity: Critical

Issue Overview:

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.


Affected Packages:

puppet


Issue Correction:
Run yum update puppet to update your system.

New Packages:
i686:
    puppet-debuginfo-2.7.22-1.0.amzn1.i686
    puppet-2.7.22-1.0.amzn1.i686
    puppet-server-2.7.22-1.0.amzn1.i686

src:
    puppet-2.7.22-1.0.amzn1.src

x86_64:
    puppet-2.7.22-1.0.amzn1.x86_64
    puppet-debuginfo-2.7.22-1.0.amzn1.x86_64
    puppet-server-2.7.22-1.0.amzn1.x86_64