SuSE 11.2 Security Update : puppet (SAT Patch Number 7526)

high Nessus Plugin ID 65796

Synopsis

The remote SuSE 11 host is missing one or more security updates.

Description

puppet has been updated to fix 2.6.18 multiple vulnerabilities and bugs.

- (#19391) Find the catalog for the specified node name

- Don't assume master supports SSLv2

- Don't require openssl client to return 0 on failure

- Display SSL messages so we can match our regex

- Don't assume puppetbindir is defined

- Remove unnecessary rubygems require

- Run openssl from windows when trying to downgrade master

- Separate tests for same CVEs into separate files

- Fix order-dependent test failure in rest_authconfig_spec

- Always read request body when using Rack

- (#19392) (CVE-2013-1653) Fix acceptance test to catch unvalidated model on 2.6

- (#19392) (CVE-2013-1653) Validate indirection model in save handler

- Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654, 2274, 2275)

- (#19531) (CVE-2013-2275) Only allow report save from the node matching the certname

- (#19391) Backport Request#remote? method

- (#8858) Explicitly set SSL peer verification mode.

- (#8858) Refactor tests to use real HTTP objects

- (#19392) (CVE-2013-1653) Validate instances passed to indirector

- (#19391) (CVE-2013-1652) Disallow use_node compiler parameter for remote requests

- (#19151) Reject SSLv2 SSL handshakes and ciphers

- (#14093) Restore access to the filename in the template

- (#14093) Remove unsafe attributes from TemplateWrapper

Solution

Apply SAT patch number 7526.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=809839

http://support.novell.com/security/cve/CVE-2013-1640.html

http://support.novell.com/security/cve/CVE-2013-1652.html

http://support.novell.com/security/cve/CVE-2013-1653.html

http://support.novell.com/security/cve/CVE-2013-1654.html

http://support.novell.com/security/cve/CVE-2013-1655.html

http://support.novell.com/security/cve/CVE-2013-2274.html

http://support.novell.com/security/cve/CVE-2013-2275.html

Plugin Details

Severity: High

ID: 65796

File Name: suse_11_puppet-130320.nasl

Version: 1.4

Type: local

Agent: unix

Published: 4/4/2013

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:puppet, p-cpe:/a:novell:suse_linux:11:puppet-server, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 3/20/2013

Reference Information

CVE: CVE-2013-1640, CVE-2013-1652, CVE-2013-1653, CVE-2013-1654, CVE-2013-1655, CVE-2013-2274, CVE-2013-2275