Re: puppet, repos, security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 31 October 2013 07:30, ignasr@xxxxxxxxxx <ignasr@xxxxxxxxxx> wrote:

> I am using puppet 2.7.20 from rpmforge, with a build date of Wed 20 Mar
> 2013. EPEL has an even older version.
>

A very old and occasionally suspect repo (rpmforge) in terms of lack of
updates (see the clamav issues a little while back). EPEL is better but
stays a lot older.


> Then I see this: http://puppetlabs.com/security/cve/cve-2013-3567 that
> was posted on the month of July 2013.
>
> Do I understand correctly, that my puppet-master is vulnerable to remote
> code execution by every node that has access to master's port tcp/8140?
>
>
Yes that is almost certainly the case - best to check the --changelog of
the RPM you are using though.


> If so, then the only option to use puppet while being safe is to use
> puppetlabs repo, or build puppet myself?
>
>
Using the official puppetlabs repo is the best/right answer and will allow
you to be on the most recent puppet version - there are significant reasons
why this is desirable.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux