Advisories ยป MGASA-2013-0187

Updated puppet packages fix remote code execution vulnerability

Publication date: 26 Jun 2013
Type: security
Affected Mageia releases : 2 , 3
CVE: CVE-2013-3567

Description

When making REST api calls, the puppet master takes YAML from an untrusted
client, deserializes it, and then calls methods on the resulting object.
A YAML payload can be crafted to cause the deserialization to construct
an instance of any class available in the ruby process, which allows an
attacker to execute code contained in the payload.
                

References

SRPMS

2/core

3/core