------------------------------------------------------------------- Mon Feb 12 12:47:54 UTC 2018 - kstreitova@suse.com - add puppet-2.7.26-CVE-2017-2295.patch to fix a security vulnerability where an attacker could force YAML deserialization in an unsafe manner, which would lead to remote code execution. In default, this update would break a backwards compatibility with Puppet agents older than 3.2.2 as the SLE11 master doesn't support other fact formats than pson in default anymore. In order to allow users to continue using their SLE11 agents the puppet-2.7.26-CVE-2017-2295-agent.patch patch was added. This patch enables sending PSON from agents. For non-SUSE clients older that 3.2.2 a new puppet master boolean option "dangerous_fact_formats" was added. When it's set to true it enables using dangerous fact formats (e.g. YAML). When it's set to false, only PSON fact format is accepted. [bsc#1040151], [CVE-2017-2295], [bsc#1077767] ------------------------------------------------------------------- Wed Mar 18 10:02:53 UTC 2015 - kstreitova@suse.com - specfile newly creates /etc/puppet/manifests/site.pp file because puppet daemon refuses to start without this file (bnc#835891) ------------------------------------------------------------------- Thu Jan 22 14:17:35 UTC 2015 - kstreitova@suse.com - add puppet-2.7.26-cert_signing.patch in order to fix Puppet Cert Requests signing fail caused by the difference between the client (uses md5) and master (uses SHA256 or SHA1) (bnc#913078). ------------------------------------------------------------------- Wed Jul 30 15:40:16 UTC 2014 - vdziewiecki@suse.com -Update to puppet 2.7, as it was decided in fate#314957 bnc#889585 -Removed unneeded patches: * puppet-2.6.12-zypper-regexp.patch * puppet-2.6-CVE-3567.patch.bz2 * bug-853982_Add-boot-reboot-to-excludes-list-for-redhat-pr.patch * puppet-CVE-2013-4969.patch * puppet-CVE-2014-3248_and_3250.patch ------------------------------------------------------------------- Thu Jun 26 13:02:25 UTC 2014 - vdziewiecki@suse.com -fix bnc#856843 - VUL-0: CVE-2013-4969: puppet: Unsafe use of Temp files in File type (Local Privilege Escalation) : puppet-CVE-2013-4969.patch -fix bnc#879913 - VUL-0: CVE-2014-3248,CVE-2014-3250 : puppet code execution: puppet-CVE-2014-3248_and_3250.patch ------------------------------------------------------------------- Tue Mar 18 10:55:20 UTC 2014 - mrueckert@suse.de - drop bug-835122_ubuntu-2.7.11-puppet-Aug-2013-CVE-fixes.patch: revert broken backport (bnc#864082) ------------------------------------------------------------------- Thu Jan 16 15:23:08 UTC 2014 - vdziewiecki@suse.com - fix bnc#835122 - VUL-0: CVE-2013-4761: puppet: `resource_type` remote code execution vulnerability - added patches: * bug-835122_ubuntu-2.7.11-puppet-Aug-2013-CVE-fixes.patch ------------------------------------------------------------------- Tue Jan 7 13:07:28 UTC 2014 - vdziewiecki@suse.com - fix bnc#853982 - puppet resource service causes system restart: bug-853982_Add-boot-reboot-to-excludes-list-for-redhat-pr.patch ------------------------------------------------------------------- Thu Sep 5 11:54:52 UTC 2013 - vdziewiecki@suse.com -fix Bug 835848 - L3: puppet breaks after updating to 2.6.18-0.6.1 ------------------------------------------------------------------- Mon Jul 29 15:41:06 UTC 2013 - vdziewiecki@suse.com -fix bnc#825878 - VUL-0: puppet: CVE-2013-3567: Unauthenticated Remote Code Execution Vulnerability ------------------------------------------------------------------- Mon Mar 18 17:02:05 UTC 2013 - vdziewiecki@suse.com -Update to 2.6.18 to fix numerous CVE's, see bnc#809839 -Changed tarball compression to bz2. ------------------------------------------------------------------- Wed Jul 11 13:48:05 UTC 2012 - vdziewiecki@suse.com -CVEs: -Fix bnc#770828 - VUL-0: CVE-2012-3864: puppet: authenticated clients can read arbitrary files via a flaw in puppet master -Fix bnc#770829 - VUL-0: CVE-2012-3865: puppet: arbitrary file delete / Denial of Service on Puppet Master by authenticated clients -Fix bnc#770833 - VUL-1: CVE-2012-3867: puppet: insufficient input validation for agent certificate names -I used the new stable version, 2.6.17, which only receives security fixes. -Removed runlevel 4. ------------------------------------------------------------------- Tue Apr 10 14:33:57 UTC 2012 - vcizek@suse.com - correct parsing of zypper list-updates (bnc#755726) ------------------------------------------------------------------- Tue Apr 10 13:03:31 UTC 2012 - vcizek@suse.com - fixes for CVE-2011-1986,CVE-2012-1987,CVE-2012-1988,CVE-2012-1989 corresponding bugs: bnc#755869, bnc#755870, bnc#755871, bnc#755872 ------------------------------------------------------------------- Thu Feb 23 16:24:26 UTC 2012 - dlovasko@suse.com - bnc#747657 - added klogin-suid.patch to fix local user privilege escalations ------------------------------------------------------------------- Wed Jan 11 13:35:57 UTC 2012 - vcizek@suse.com - correct ownership of dirs in /var (bnc#739361) ------------------------------------------------------------------- Tue Nov 8 11:07:42 UTC 2011 - vcizek@suse.com - update to 2.6.12 - fixes several security bugs: CVE-2011-3848, CVE-2011-3869, CVE-2011-3870, CVE-2011-3871, CVE-2011-3872 (bnc#727024, bnc#727025, bnc#726372, bnc#721139) ------------------------------------------------------------------- Fri May 20 07:28:14 UTC 2011 - vcizek@novell.com - using correct port for puppet in the firewall rules (bnc#694825) ------------------------------------------------------------------- Tue Apr 27 15:34:07 CEST 2010 - anicka@suse.cz - fixed CVE-2010-0156 (bnc#585402, bnc#600093) ------------------------------------------------------------------- Wed Apr 15 15:42:41 CEST 2009 - mantel@suse.de - update to 0.24.8 ------------------------------------------------------------------- Mon Apr 6 15:32:43 CEST 2009 - mantel@suse.de - add zypper.rb plugin by Leo Eraly ------------------------------------------------------------------- Mon Feb 9 16:49:36 CET 2009 - anicka@suse.cz - update to 2.4.7 * Deprecate the NetInfo nameservice provider. Use directoryservice instead * Add macauthorization type * Refactoring the thread-safety in Puppet::Util * Removing the included testing gems; you must now install them yourself * Refactoring of SELinux functions to use native Ruby SELinux interface * Removing all mention of EPM, RPM, or Sun packages. * Replaced SELInux calls to binaries with Ruby SELinux bindings * Adding support to the user type for: profiles, auths, project, key/value pairs (extension to Solaris RBAC support added in 0.24.6) * Added a number of confines to package providers * lots of bugfixes - add sysconfig, firewall definitions, package init scripts (bnc#465778) ------------------------------------------------------------------- Tue Sep 9 17:42:21 CEST 2008 - anicka@suse.cz - update to 0.24.5 * You can now select the encoding format when transferring the catalog, with 'yaml' still being the default but 'marshal' being an option. * Removed support for the 'node_name' setting in LDAP and external node lookups. * Also removed support for 'default' nodes in external nodes. * Exporting or collecting resources no longer raises an exception when no storeconfigs is enabled, it just produces a warning. * Always using the cert name to store yaml files * Added support for the --all option to puppetca --clean. If puppetca --clean --all is issued then all client certificates are removed. * Resources now return the 'should' value for properties from the [] accessor method (they previously threw an exception when this method was used with properties). * Modified the 'master' handler to use the Catalog class to compile node configurations, rather than using the Configuration handler, which was never used directly. * Modified the 'master' handler (responsible for sending configurations to clients) to always return Time.now as its compile date, so configurations will always get recompiled. * Saving new facts now expires any cached node information. * Switching how caching is handled, so that objects now all have an expiration date associated with them. This makes it much easier to know whether a given cached object should be used or if it should be regenerated. * Changing the default environment to production. - fix installation script (man8 permissions) ------------------------------------------------------------------- Mon Sep 1 14:06:07 CEST 2008 - anicka@suse.cz - package created (version 0.24.4)