Introduction

Puppet Labs takes the security of its products very seriously.  We respond to security issues and concerns promptly and when necessary release new versions of the product to address vulnerabilities or security issues in our products.

Security Policy

Puppet Labs supports responsible disclosure of security vulnerabilities.

Puppet Labs is happy to fully disclose all details of a security vulnerability but in the interests of responsible disclosure we do ask security researchers and other stakeholders to allow us sufficient time to patch the vulnerability before publishing the details.

We have a strong relationship with all of our Linux distribution maintainers, and appreciate it when we have sufficient time to perform patch coordination with them before public disclosure. If you report an issue to us directly, we will coordinate this process.

We believe in giving credit to security researchers if they so desire. When reporting an issue to us, please let us know whether you would like to be publicly credited, and how you would like to be identified.

Puppet Labs would like to thank those who have responsibly disclosed security vulnerabilities in our products and online services.

Security Reporting Process

If you have identified an issue then please send an email to the Security mailbox with the details.  If you wish to contact us via phone to report a security issue please call 1-877-575-9775.

Subscribing to Security Announcements

All Puppet Labs security announcements are sent to the puppet-announce mailing list. If you wish to be informed as security updates are released, please subscribe to this list.

Security Disclosures

• CVE-2013-2716 – CAS Client Config Vulnerability
• Resolved in Puppet Enterprise 2.8.0
• CVE-2013-2275 – Incorrect Default Report ACL Vulnerability
• Resolved in Puppet 2.6.18, 2.7.21, 3.1.1, Puppet Enterprise 1.2.7, 2.7.2
• CVE-2013-2274 – Remote Code Execution Vulnerability
• Resolved in Puppet 2.6.18, Puppet Enterprise 1.2.7
• CVE-2013-1655 – Unauthenticated Remote Code Execution Vulnerability
• Resolved in Puppet 2.7.21, 3.1.1
• CVE-2013-1654 – SSL Protocol Downgrade Vulnerability
• Resolved in Puppet 2.6.18, 2.7.21, 3.1.1, Puppet Enterprise 1.2.7, 2.7.2
• CVE-2013-1653 – Agent Remote Code Execution Vulnerability
• Resolved in Puppet 2.7.21, 3.1.1, Puppet Enterprise 2.7.2
• CVE-2013-1652 – Insufficient Input Validation Vulnerability
• Resolved in Puppet 2.6.18, 2.7.21, 3.1.1, Puppet Enterprise 1.2.7, 2.7.2
• CVE-2013-1640 – Remote Code Execution Vulnerability
• Resolved in Puppet 2.6.18, 2.7.21, 3.1.1, Puppet Enterprise 1.2.7, 2.7.2
• CVE-2013-0277 – Rails (ActiveRecord) YAML Serialization Vulnerability
• Puppet Enterprise Hotfixes for Puppet Enterprise 1.2.6, and 2.7.1
• CVE-2013-0269 – JSON Unsafe Object Creation Vulnerability
• Puppet Enterprise Hotfixes for Puppet Enterprise 1.2.6, and 2.7.1
• CVE-2013-0263 – Rack Timing Attack Vulnerability
• Puppet Enterprise Hotfixes for Puppet Enterprise 1.2.6, and 2.7.1
• CVE-2013-0169 – OpenSSL Lucky Thirteen Vulnerability
• Puppet Enterprise Hotfixes for Puppet Enterprise 1.2.6, and 2.7.1
• CVE-2013-1399 – Console CSRF Vulnerability
• Resolved in Puppet Enterprise 2.7.1
• CVE-2013-1398 – MCO Private Key Leak
• Resolved in Puppet Enterprise 2.7.1
• CVE-2013-0333 – Rails JSON Parser Vulnerability
• Puppet Enterprise Hotfixes for Puppet Enterprise 1.2.5, and 2.7.0
• CVE-2013-0155 – Rails (ActiveRecord) Unsafe Query Generation Risk
• Puppet Enterprise Hotfixes for Puppet Enterprise 1.2.5, and 2.7.0
• CVE-2013-0156 – Rails (ActionPack) SQL Injection Vulnerability
• Puppet Enterprise Hotfixes for Puppet Enterprise 1.2.5, and 2.7.0
• CVE-2012-5664 – Rails (ActiveRecord) SQL Injection Vulnerability
• Puppet Enterprise Hotfixes for Puppet Enterprise 1.2.5, and 2.7.0
• CVE-2012-5158 – Incorrect Session Handling
• Resolved in Puppet Enterprise 2.6.1
• CVE-2012-3864 – Arbitrary File Read
• Resolved in Puppet 2.6.17, 2.7.18, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.2
• CVE-2012-3865 – Arbitrary file delete/D.O.S on Puppet Master
• Resolved in Puppet 2.6.17, 2.7.18, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.2
• CVE-2012-3866 – last_run_report.yaml is World-Readable
• Resolved in Puppet 2.7.18, Puppet Enterprise Hotfixes for 2.0.x, Puppet Enterprise 2.5.2
• CVE-2012-3867 – Insufficient Input Validation
• Resolved in Puppet 2.6.17, 2.7.18, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.2
• CVE-2012-3408 – Agent Impersonation
• Addressed in 2.7.18, Puppet Enterprise Hotfixes for 2.0.x, Puppet Enterprise 2.5.2
• CVE-2012-1906 – Arbitrary Code Execution
• Resolved in Puppet 2.6.15, 2.7.13, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.1
• CVE-2012-1986 – Arbitrary File Read
• Resolved in Puppet 2.6.15, 2.7.13, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.1
• CVE-2012-1987 – Denial of Service
• Resolved in Puppet 2.6.15, 2.7.13, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.1
• CVE-2012-1988 – Arbitrary Code Execution
• Resolved in Puppet 2.6.15, 2.7.13, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.1
• CVE-2012-1989 – Arbitrary File Write
• Resolved in Puppet 2.7.13, Puppet Enterprise 2.5.1, Puppet Enterprise Hotfixes for 2.0.x; not applicable to earlier versions
• CVE-2012-1053 – Puppet Resource Local Group Privilege Escalation
• Resolved in Puppet 2.6.14, 2.7.11, Puppet Enterprise Hotfixes for 1.0, 1.1 and 1.2.x, Puppet Enterprise 2.0.3
• CVE-2012-1054 – K5login Local User Privilege Escalation
• Resolved in Puppet 2.6.14, 2.7.11, Puppet Enterprise Hotfixes for 1.0, 1.1 and 1.2.x, Puppet Enterprise 2.0.3
• CVE-2012-0891 – Dashboard Cross Site Scripting (XSS) Vulnerability
• Resolved in Puppet Dashboard 1.2.5, Puppet Enterprise Hotfixes for 1.0, 1.1 and 1.2.x, Puppet Enterprise 2.0.1
• CVE-2011-3872 – AltNames Vulnerability
• Resolved in Puppet 0.25.6, 2.6.12, 2.7.6, Puppet Enterprise 1.2.4
• CVE-2011-3871 – Puppet Resource Local Privilege Escalation
• Resolved in 2.7.5 and 2.6.11, Puppet Enterprise 1.2.3
• CVE-2011-3870 – SSH Auth Key Local Privilege Escalation
• Resolved in 2.7.5 and 2.6.11, Puppet Enterprise 1.2.3
• CVE-2011-3869 – K5login Local Privilege Escalation
• Resolved in 2.7.5 and 2.6.11, Puppet Enterprise 1.2.3
• CVE-2011-3848 – Directory Traversal Write Vulnerability
• Resolved in Puppet 2.7.4 and 2.6.10, Puppet Enterprise 1.2.2
• auth-conf-2010-10 – Missing Auth.conf Resource Manipulation
• Resolved in Puppet 2.6.4
• CVE-2010-0156 – File overwrite vulnerability via symlink attack
• Resolved in Puppet 0.25.2, 0.24.9
• CVE-2009-3564 – Failure to reset supplementary groups
• Resolved in Puppet 0.25.2