FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  366223
Date:      2014-08-26
Time:      16:36:41Z
Committer: rene

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
607d2108-a0e4-423a-bf78-846f2a8f01b0puppet -- Multiple Vulnerabilities

Multiple vulnerabilities exist in puppet that can result in arbitrary code execution, arbitrary file read access, denial of service, and arbitrary file write access. Please review the details in each of the CVEs for additional information.


Discovery 2012-03-26
Entry 2012-04-10
puppet
lt 2.7.12_1

CVE-2012-1906
CVE-2012-1986
CVE-2012-1987
CVE-2012-1988
CVE-2012-1989
http://puppetlabs.com/security/cve/cve-2012-1906/
http://puppetlabs.com/security/cve/cve-2012-1986/
http://puppetlabs.com/security/cve/cve-2012-1987/
http://puppetlabs.com/security/cve/cve-2012-1988/
http://puppetlabs.com/security/cve/cve-2012-1989/
607d2108-a0e4-423a-bf78-846f2a8f01b0puppet -- Multiple Vulnerabilities

Multiple vulnerabilities exist in puppet that can result in arbitrary code execution, arbitrary file read access, denial of service, and arbitrary file write access. Please review the details in each of the CVEs for additional information.


Discovery 2012-03-26
Entry 2012-04-10
puppet
lt 2.7.12_1

CVE-2012-1906
CVE-2012-1986
CVE-2012-1987
CVE-2012-1988
CVE-2012-1989
http://puppetlabs.com/security/cve/cve-2012-1906/
http://puppetlabs.com/security/cve/cve-2012-1986/
http://puppetlabs.com/security/cve/cve-2012-1987/
http://puppetlabs.com/security/cve/cve-2012-1988/
http://puppetlabs.com/security/cve/cve-2012-1989/
101f0aae-52d1-11e2-87fe-f4ce46b9ace8puppet -- multiple vulnerabilities

puppet -- multiple vulnerabilities

Arbitrary file read on the puppet master from authenticated clients (high). It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the master has read-access to.

Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high). Given a Puppet master with the "Delete" directive allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default.

Insufficient input validation for agent hostnames (low). An attacker could trick the administrator into signing an attacker's certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attacker's certificate, the attacker can then man-in-the-middle the agent.


Discovery 2012-07-10
Entry 2012-12-30
puppet
gt 2.6.* lt 2.6.17

CVE-2012-3864
CVE-2012-3865
CVE-2012-3867
http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.17
http://puppetlabs.com/security/cve/cve-2012-3864/
http://puppetlabs.com/security/cve/cve-2012-3865/
http://puppetlabs.com/security/cve/cve-2012-3867/
b162b218-c547-4ba2-ae31-6fdcb61bc763puppet -- Unauthenticated Remote Code Execution Vulnerability

Puppet Developers report:

When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload.


Discovery 2013-06-13
Entry 2013-06-22
Modified 2013-08-01
puppet
ge 2.7 lt 2.7.22

ge 3.0 lt 3.2.2

CVE-2013-3567