CVE-2012-1054

Name of the Vulnerable Software and Affected Versions Puppet versions 2.6.x through 2.6.13 Puppet versions 2.7.x through 2.7.10 Puppet Enterprise (PE) Users versions 1.0 through 1.2.x Puppet Enterprise (PE) Users versions 2.0.x through 2.0.2

Description The issue affects the puppet package in Gentoo Linux and allows local users to gain privileges via a symlink attack on .k5login when managing a user login file with the k5login resource type. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation can be carried out locally.

Recommendations For Puppet versions 2.6.x through 2.6.13, update to version 2.6.14 or later. For Puppet versions 2.7.x through 2.7.10, update to version 2.7.11 or later. For Puppet Enterprise (PE) Users versions 1.0 through 1.2.x, update to a version after 2.0.2. For Puppet Enterprise (PE) Users versions 2.0.x through 2.0.2, update to version 2.0.3 or later. As a temporary workaround, consider restricting access to the k5login resource type until a patch is available.