Debian DSA-2352-1 : puppet - programming error

This script is Copyright (C) 2011-2013 Tenable Network Security, Inc.


Synopsis :

The remote Debian host is missing a security-related update.

Description :

It was discovered that Puppet, a centralized configuration management
solution, misgenerated certificates if the 'certdnsnames' option was
used. This could lead to man in the middle attacks. More details are
available on the Puppet web site.

See also :

http://puppetlabs.com/security/cve/cve-2011-3872/
http://www.debian.org/security/2011/dsa-2352

Solution :

Upgrade the puppet packages.

For the oldstable distribution (lenny), this problem has been fixed in
version 0.24.5-3+lenny2.

For the stable distribution (squeeze), this problem has been fixed in
version 2.6.2-5+squeeze3.

Risk factor :

Low / CVSS Base Score : 2.6
(CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 2.1
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Debian Local Security Checks

Nessus Plugin ID: 56923 ()

Bugtraq ID: 50356

CVE ID: CVE-2011-3872