[chef-dev] Re: Does chef have similar vulns? (Fwd: [SECURITY] [DSA 2451-1] puppet security update{

[Adam Jacob < >]

There is no equivalent functionality to a puppet filebucket in Chef.
We do keep backups of files, but we do so on the local filesystems on
the clients. (If you then wanted to ship them someplace, it's on you.)

When we write temp files, we (to the best of my knowledge) always do
so via Ruby's Tempfile support. (We even, on occasion, will use it to
create a tempfile, unlink it, and re-use the name.) Nobody has done an
audit to confirm, but I think we're just fine on that front.

Adam

On Fri, Apr 13, 2012 at 9:41 AM, Joseph Holsten
<
 >
 wrote:
> Seems like predictable temp files are an issue, but I can't be sure about 
> any of the others. Any thoughts?
>
>
> Begin forwarded message:
>
>> Resent-From: 
>> 
 
>>  (Mailing List Manager)
>> From: Nico Golde 
>> <
 >
>> Subject: [SECURITY] [DSA 2451-1] puppet security update
>> Date: 2012-04-13 04:52:10 +0000
>> To: 
>> 
 
>> Resent-Cc: recipient list not shown: ;
>> Reply-To: 
>> 
 
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> - -------------------------------------------------------------------------
>> Debian Security Advisory DSA-2451-1                   
>> 
 
>> http://www.debian.org/security/                                Nico Golde
>> April 13, 2012                         http://www.debian.org/security/faq
>> - -------------------------------------------------------------------------
>>
>> Package        : puppet
>> Vulnerability  : several
>> Problem type   : remote
>> Debian-specific: no
>> CVE IDs        : CVE-2012-1906 CVE-2012-1986 CVE-2012-1987 CVE-2012-1988
>>
>> Several vulnerabilities have been discovered in puppet, a centralized
>> configuration management system.  The Common Vulnerabilities and
>> Exposures project identifies the following problems:
>>
>> CVE-2012-1906
>>
>>    Puppet is using predictable temporary file names when downloading
>>    Mac OS X package files.  This allows a local attacker to either
>>    overwrite arbitrary files on the system or to install an arbitrary
>>    package.
>>
>> CVE-2012-1986
>>
>>    When handling requests for a file from a remote filebucket, puppet
>>    can be tricked into overwriting its defined location for filebucket
>>    storage.  This allows an authorized attacker with access to the puppet
>>    master to read arbitrary files.
>>
>> CVE-2012-1987
>>
>>    Puppet is incorrectly handling filebucket store requests.  This allows
>>    an attacker to perform denial of service attacks against puppet by
>>    resource exhaustion.
>>
>> CVE-2012-1988
>>
>>    Puppet is incorrectly handling filebucket requests.  This allows an
>>    attacker with access to the certificate on the agent and an unprivileged
>>    account on puppet master to execute arbitrary code via crafted file
>>    path names and making a filebucket request.
>>
>>
>> For the stable distribution (squeeze), this problem has been fixed in
>> version 2.6.2-5+squeeze5.
>>
>> For the testing distribution (wheezy), this problem has been fixed in
>> version 2.7.13-1.
>>
>> For the unstable distribution (sid), this problem has been fixed in
>> version 2.7.13-1.
>>
>> We recommend that you upgrade your puppet packages.
>>
>> Further information about Debian Security Advisories, how to apply
>> these updates to your system and frequently asked questions can be
>> found at: http://www.debian.org/security/
>>
>> Mailing list: 
>> 
 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iEYEARECAAYFAk+HsPoACgkQHYflSXNkfP/vpACgtg0NK6myRJW7XNXu17FXiS2j
>> JAgAoIYkhMWpQKhsLTF6Kn60cIQ0Cinm
>> =gA9r
>> -----END PGP SIGNATURE-----
>>
>



-- 
Opscode, Inc.
Adam Jacob, Chief Customer Officer
T: (206) 619-7151 E: