Synopsis :

The remote Debian host is missing a security-related update.

Description :

Several security vulnerabilities have been found in Puppet, a
centralized configuration management :

- CVE-2012-3864
Authenticated clients could read arbitrary files on the
puppet master.

- CVE-2012-3865
Authenticated clients could delete arbitrary files on
the puppet master.

- CVE-2012-3866
The report of the most recent Puppet run was stored with
world readable permissions, resulting in information
disclosure.

- CVE-2012-3867
Agent hostnames were insufficiently validated.

See also :

http://security-tracker.debian.org/tracker/CVE-2012-3864
http://security-tracker.debian.org/tracker/CVE-2012-3865
http://security-tracker.debian.org/tracker/CVE-2012-3866
http://security-tracker.debian.org/tracker/CVE-2012-3867
http://www.debian.org/security/2012/dsa-2511

Solution :

Upgrade the puppet packages.

For the stable distribution (squeeze), this problem has been fixed in
version 2.6.2-5+squeeze6.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.2
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false