Introduction

Puppet Labs takes the security of its products very seriously.  We respond to security issues and concerns promptly and when necessary release new versions of the product to address vulnerabilities or security issues in our products.

Security Policy

Puppet Labs supports responsible disclosure of security vulnerabilities.

Puppet Labs is happy to fully disclose all details of a security vulnerability but in the interests of responsible disclosure we do ask security researchers and other stakeholders to allow us sufficient time to patch the vulnerability before publishing the details.

We have a strong relationship with all of our Linux distribution maintainers, and appreciate it when we have sufficient time to perform patch coordination with them before public disclosure. If you report an issue to us directly, we will coordinate this process.

We believe in giving credit to security researchers if they so desire. When reporting an issue to us, please let us know whether you would like to be publicly credited, and how you would like to be identified.

Security Reporting Process

If you have identified an issue then please send an email to the Security mailbox with the details.  If you wish to contact us via phone to report a security issue please call 1-877-575-9775.

Security Disclosures

• CVE-2012-1906 – Arbitrary Code Execution
• Resolved in Puppet 2.6.15, 2.7.13, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.1
• CVE-2012-1986 – Arbitrary File Read
• Resolved in Puppet 2.6.15, 2.7.13, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.1
• CVE-2012-1987 – Denial of Service
• Resolved in Puppet 2.6.15, 2.7.13, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.1
• CVE-2012-1988 – Arbitrary Code Execution
• Resolved in Puppet 2.6.15, 2.7.13, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.1
• CVE-2012-1989 – Arbitrary File Write
• Resolved in Puppet 2.6.15, 2.7.13, Puppet Enterprise Hotfixes for 1.0, 1.1, 1.2.x, and 2.0.x, Puppet Enterprise 2.5.1
• CVE-2012-1053 – Puppet Resource Local Group Privilege Escalation
• Resolved in Puppet 2.6.14, 2.7.11, Puppet Enterprise Hotfixes for 1.0, 1.1 and 1.2.x, Puppet Enterprise 2.0.3
• CVE-2012-1054 – K5login Local User Privilege Escalation
• Resolved in Puppet 2.6.14, 2.7.11, Puppet Enterprise Hotfixes for 1.0, 1.1 and 1.2.x, Puppet Enterprise 2.0.3
• CVE-2012-0891 – Dashboard Cross Site Scripting (XSS) Vulnerability
• Resolved in Puppet Dashboard 1.2.5, Puppet Enterprise Hotfixes for 1.0, 1.1 and 1.2.x, Puppet Enterprise 2.0.1
• CVE-2011-3872 – AltNames Vulnerability
• Resolved in Puppet 0.25.6, 2.6.12, 2.7.6, Puppet Enterprise 1.2.4
• CVE-2011-3871 – Puppet Resource Local Privilege Escalation
• Resolved in 2.7.5 and 2.6.11, Puppet Enterprise 1.2.3
• CVE-2011-3870 – SSH Auth Key Local Privilege Escalation
• Resolved in 2.7.5 and 2.6.11, Puppet Enterprise 1.2.3
• CVE-2011-3869 – K5login Local Privilege Escalation
• Resolved in 2.7.5 and 2.6.11, Puppet Enterprise 1.2.3
• CVE-2011-3848 – Directory Traversal Write Vulnerability
• Resolved in Puppet 2.7.4 and 2.6.10, Puppet Enterprise 1.2.2
• auth-conf-2010-10 – Missing Auth.conf Resource Manipulation
• Resolved in Puppet 2.6.4
• CVE-2010-0156 – File overwrite vulnerability via symlink attack
• Resolved in Puppet 0.25.2, 0.24.9
• CVE-2009-3564 – Failure to reset supplementary groups
• Resolved in Puppet 0.25.2