1
PublicDateAtUSN: 2013-03-12 18:00:00 UTC
2
Candidate: CVE-2013-1640
3
CRD: 2013-03-12 18:00:00 UTC
6
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1640
7
https://puppetlabs.com/security/cve/cve-2013-1640/
8
https://usn.ubuntu.com/usn/usn-1759-1
10
The (1) template and (2) inline_template functions in the master server in
11
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and
12
Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote
13
authenticated users to execute arbitrary code via a crafted catalog
17
mdeslaur> Upstream no longer supports 0.25.x as found in lucid. The code
18
mdeslaur> is substantially different, rendering a backport of this
19
mdeslaur> security update difficult. Since puppet in Lucid is almost
20
mdeslaur> end-of-life, we aren't planning on backporting the security fix
21
mdeslaur> to it. For Lucid users, we recommend using puppet
22
mdeslaur> 2.7.1-1ubuntu3.8~ubuntu10.04.1 currently in lucid-backports.
29
upstream_puppet: released (2.6.18, 2.7.21, 3.1.1)
30
hardy_puppet: ignored (reached end-of-life)
32
oneiric_puppet: released (2.7.1-1ubuntu3.8)
33
precise_puppet: released (2.7.11-1ubuntu2.2)
34
quantal_puppet: released (2.7.18-1ubuntu1.1)
35
devel_puppet: released (2.7.18-1ubuntu2)