back to article Remote code execution vuln appears in Puppet

Puppet Labs has blasted out a security advisory about a vulnerability in the popular infrastructure management tool Puppet. The CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability) warning was issued by Puppet Labs on Tuesday, and advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later, and paid- …


This topic is closed for new posts.
  1. btrower

    What the fail?

    Let me get this straight: Code designed to execute arbitrary code executes arbitrary code. Did I miss a meeting? Does the fix involve, stopping arbitrary code from executing? Who is doing security walk-throughs or auditing this stuff?

  2. Anonymous Coward
    Anonymous Coward

    why bother?

    admittedly the press release itself is annoyingly non-specific, but that's no excuse for just republishing it verbatim merely wrapped with a few excerpts from puppet's about us page. in the future just link to the press release and the company's wikipedia page.

    1. Robert Helpmann??

      Re: why bother?

      ...that's no excuse for just republishing [the press release] verbatim...

      Clearly that is not all that was done here. For added value, we have information about and a link to a competitor's product.

      Also, why not a mention that they gave credit to the person who discovered the flaw as this is a theme in security research these days? Did the company pay a bounty on this or is a mention on the web site the best they can do?

  3. asdf

    So is Puppet Labs really now a bunch of muppets?

  4. Long John Brass


    Any config management system should be on a management only subnet & not visible to the world or even to the local infrastructure

    Still ... looks like I'll be doing a round of systems patching today :)

  5. Trevor_Pott Gold badge

    Puppet, patch thyself.

  6. edmundedgar

    Puppet 2.6?

    The Registers says Puppet Labs "advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later", but there's nothing about "all users" on the Puppet Labs site, and the mailing list announcement says the issue is with the 2.7 series:!topic/puppet-announce/zt0O6FtUT3c

    So is 2.6 OK?

  7. SinisterPenguin

    My Dreams are shattered

    I don't understand Puppet is Open Source, a Panacea, the answer to all the worlds ills.

    How can it possibly have any flaw let alone a security vulnerability?

    My hopes & dreams lie in tatters.....

This topic is closed for new posts.

Other stories you might like