Security Advisory Moderate: puppet security update

Advisory: RHSA-2013:1283-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-09-24
Last updated on: 2013-09-24
Affected Products: Red Hat OpenStack 3.0
CVEs ( CVE-2013-3567


Updated puppet packages that fix several security issues are now available
for Red Hat OpenStack 3.0.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Puppet allows provisioning, patching, and configuration of clients to be
managed and automated.

A flaw was found in the way Puppet handled YAML content during
Representational State Transfer (REST) API calls. An attacker could
construct a request containing a crafted YAML payload that would cause the
Puppet master to execute arbitrary code. (CVE-2013-3567)

It was found that resource_type requests could be used to cause the Puppet
master to load and run Ruby files from anywhere on the file system. In
non-default configurations, a local user on the Puppet master server could
use this flaw to have arbitrary Ruby code executed with the privileges of
the Puppet master. (CVE-2013-4761)

It was found that Puppet Module Tool (that is, running "puppet module"
commands from the command line) applied incorrect permissions to installed
modules. If a malicious, local user had write access to the Puppet module
directory, they could use this flaw to modify the modules and therefore
execute arbitrary code with the privileges of the Puppet master.

Red Hat would like to thank Puppet Labs for reporting these issues.
Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-3567.

Note: OpenStack uses these puppet packages with PackStack, a command line
utility that uses Puppet modules to support rapid deployment of OpenStack
on existing servers over an SSH connection. The Puppet master is not used
in this configuration, and as such, CVE-2013-3567 and CVE-2013-4761 are not
exploitable in this OpenStack use case.

Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated
packages, which correct these issues.


Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat OpenStack 3.0

facter-1.6.6-1.el6_4.src.rpm     MD5: f5eecc1c0b06d82c88a5ac846fd44ed1
SHA-256: 877433b8aca5e183ff4a3b5b231d74bb80938294882783d20225142ec3453ce2
hiera-1.0.0-3.el6_4.src.rpm     MD5: 6d9adb714d8d37e2e87e2a7e3034504b
SHA-256: d67a3fd1d3df534d4dfe8478d212e02dd5650e92a9dcf66bb7c8e1ffe2a8c1f7
puppet-3.2.4-1.el6_4.src.rpm     MD5: ee1c0c3f502ef907c3c57f5215682408
SHA-256: a119e28843dfc323cbbde118cb7b61d975abf03c723263d29f1128cef03def60
ruby-augeas-0.4.1-1.el6_4.src.rpm     MD5: 3287c41b26da77c5e02d528d89184343
SHA-256: e62e4f332a34b2201e9388c51e80aab4c04fd578bd13bfc4bd6ded0f7a4e3ded
ruby-shadow-1.4.1-13.el6_4.src.rpm     MD5: 9a3e91a32af6f0c88663ce8d851ff6b1
SHA-256: 80021ea4394883b00a1f97d17d4c8cc19b8120a1275968961baad21d78c0df56
facter-1.6.6-1.el6_4.x86_64.rpm     MD5: 6bdb34a553ce1e9a22b21f606bf4275b
SHA-256: 28553f390657923911f1248229f6e7d631307e71e1fdeca37a34d79c918a0e99
hiera-1.0.0-3.el6_4.noarch.rpm     MD5: 11e6dba30b684db52c09bae262c59e44
SHA-256: 6153b3b2168f6dbdc7ef0da43c8d198d46ee96811c22903ba5bbd1ec74cf6d36
puppet-3.2.4-1.el6_4.noarch.rpm     MD5: 769740b15af8c836f8e10cbcab3c58da
SHA-256: 71e6fc1387e10bfb51949ecc6bd36180873cbe5f2e96a837b60b5d6f4a0a041f
puppet-server-3.2.4-1.el6_4.noarch.rpm     MD5: 68a224e590c0714ffbc988c319edb50f
SHA-256: ae34a98818040ecc37a293adba0a3e7a77ce8eec9361f9556c8be4eb2849f945
ruby-augeas-0.4.1-1.el6_4.x86_64.rpm     MD5: aa5fa55aa6b658c91e65edb73e38a619
SHA-256: 127a06c7828a8c727c7cc2f1d744523f84e5f70853a95634fd4b54aad52f9e0c
ruby-augeas-debuginfo-0.4.1-1.el6_4.x86_64.rpm     MD5: be3e3340381601343d244acb549fe5c7
SHA-256: 4692889935ed70c01625ff61c80920009831a2ae993ca6114ec9d8ff5712acc7
ruby-shadow-1.4.1-13.el6_4.x86_64.rpm     MD5: adebb28bd6b19d4ea24877d14eb0c42a
SHA-256: e30175c868c7f306ff2dfc8c5068f56c4e6901121732348f434d5129cba87281
ruby-shadow-debuginfo-1.4.1-13.el6_4.x86_64.rpm     MD5: 112b9689bc143e2ab6ced112c9b9dd2b
SHA-256: 6cc4c486d4675778e1c6fdcc3c2042ca7c66194d3699af144bfd08196527cbc8
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

974649 - CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients
996855 - CVE-2013-4956 Puppet: Local Privilege Escalation/Arbitrary Code Execution
996856 - CVE-2013-4761 Puppet: resource_type service code execution


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at