[VIM] [CVENEW] New CVE CANs: 2013/03/20 12:00 ; count=7

coley at mitre.org coley at mitre.org
Wed Mar 20 11:04:28 CDT 2013


======================================================
Name: CVE-2013-1640
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1640
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130210
Category: 
Reference: CONFIRM:https://puppetlabs.com/security/cve/cve-2013-1640/
Reference: DEBIAN:DSA-2643
Reference: URL:http://www.debian.org/security/2013/dsa-2643
Reference: UBUNTU:USN-1759-1
Reference: URL:http://ubuntu.com/usn/usn-1759-1
Reference: SECUNIA:52596
Reference: URL:http://secunia.com/advisories/52596

The (1) template and (2) inline_template functions in the master
server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before
3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2
allows remote authenticated users to execute arbitrary code via a
crafted catalog request.



======================================================
Name: CVE-2013-1652
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1652
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130211
Category: 
Reference: CONFIRM:https://puppetlabs.com/security/cve/cve-2013-1652/
Reference: DEBIAN:DSA-2643
Reference: URL:http://www.debian.org/security/2013/dsa-2643
Reference: UBUNTU:USN-1759-1
Reference: URL:http://ubuntu.com/usn/usn-1759-1
Reference: BID:58443
Reference: URL:http://www.securityfocus.com/bid/58443
Reference: SECUNIA:52596
Reference: URL:http://secunia.com/advisories/52596

Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and
Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote
authenticated users with a valid certificate and private key to read
arbitrary catalogs or poison the master's cache via unspecified
vectors.



======================================================
Name: CVE-2013-1653
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1653
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130211
Category: 
Reference: CONFIRM:https://puppetlabs.com/security/cve/cve-2013-1653/
Reference: DEBIAN:DSA-2643
Reference: URL:http://www.debian.org/security/2013/dsa-2643
Reference: UBUNTU:USN-1759-1
Reference: URL:http://ubuntu.com/usn/usn-1759-1
Reference: BID:58446
Reference: URL:http://www.securityfocus.com/bid/58446
Reference: SECUNIA:52596
Reference: URL:http://secunia.com/advisories/52596

Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and
Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening
for incoming connections is enabled and allowing access to the "run"
REST endpoint is allowed, allows remote authenticated users to execute
arbitrary code via a crafted HTTP request.



======================================================
Name: CVE-2013-1654
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1654
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130211
Category: 
Reference: CONFIRM:https://puppetlabs.com/security/cve/cve-2013-1654/
Reference: DEBIAN:DSA-2643
Reference: URL:http://www.debian.org/security/2013/dsa-2643
Reference: UBUNTU:USN-1759-1
Reference: URL:http://ubuntu.com/usn/usn-1759-1
Reference: SECUNIA:52596
Reference: URL:http://secunia.com/advisories/52596

Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet
Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL
protocol between client and master, which allows remote attackers to
conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified
vectors.



======================================================
Name: CVE-2013-1655
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1655
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130211
Category: 
Reference: CONFIRM:https://puppetlabs.com/security/cve/cve-2013-1655/
Reference: DEBIAN:DSA-2643
Reference: URL:http://www.debian.org/security/2013/dsa-2643
Reference: UBUNTU:USN-1759-1
Reference: URL:http://ubuntu.com/usn/usn-1759-1
Reference: BID:58442
Reference: URL:http://www.securityfocus.com/bid/58442
Reference: SECUNIA:52596
Reference: URL:http://secunia.com/advisories/52596

Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby
1.9.3 or later, allows remote attackers to execute arbitrary code via
vectors related to "serialized attributes."



======================================================
Name: CVE-2013-2274
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2274
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130226
Category: 
Reference: CONFIRM:https://puppetlabs.com/security/cve/cve-2013-2274/
Reference: DEBIAN:DSA-2643
Reference: URL:http://www.debian.org/security/2013/dsa-2643
Reference: BID:58447
Reference: URL:http://www.securityfocus.com/bid/58447
Reference: SECUNIA:52596
Reference: URL:http://secunia.com/advisories/52596

Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7
allows remote authenticated users to execute arbitrary code on the
puppet master, or an agent with puppet kick enabled, via a crafted
request for a report.



======================================================
Name: CVE-2013-2275
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2275
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130226
Category: 
Reference: CONFIRM:https://puppetlabs.com/security/cve/cve-2013-2275/
Reference: DEBIAN:DSA-2643
Reference: URL:http://www.debian.org/security/2013/dsa-2643
Reference: UBUNTU:USN-1759-1
Reference: URL:http://ubuntu.com/usn/usn-1759-1
Reference: BID:58449
Reference: URL:http://www.securityfocus.com/bid/58449
Reference: SECUNIA:52596
Reference: URL:http://secunia.com/advisories/52596

The default configuration for puppet masters 0.25.0 and later in
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and
Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote
authenticated nodes to submit reports for other nodes via unspecified
vectors.





More information about the VIM mailing list