Ubuntu 9.10 : puppet vulnerabilities (USN-917-1)

Ubuntu Security Notice (C) 2010-2013 Canonical, Inc. / NASL script (C) 2010-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

It was discovered that Puppet did not drop supplementary groups when
being run as a different user. A local user may be able to use this
flaw to bypass security restrictions and gain access to restricted
files. (CVE-2009-3564)

It was discovered that Puppet did not correctly handle temporary
files. A local user can exploit this flaw to bypass security
restrictions and overwrite arbitrary files. (CVE-2010-0156).

Solution :

Update the affected puppet, puppet-testsuite and / or puppetmaster
packages.

Risk factor :

Medium / CVSS Base Score : 4.7
(CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N)
CVSS Temporal Score : 3.9
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 45342 ()

Bugtraq ID: 36628
38474

CVE ID: CVE-2009-3564
CVE-2010-0156