This repository has been archived by the owner on Sep 28, 2023. It is now read-only.

Update dependency puppet to v6 [SECURITY] #3

Open

renovate wants to merge 1 commit into master from renovate/rubygems-puppet-vulnerability

renovate bot commented Mar 7, 2022 •

edited

This PR contains the following updates:

Package	Update	Change
puppet	major	`4.1.0` -> `6.25.1`

GitHub Vulnerability Alerts

CVE-2021-27023

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

CVE-2021-27025

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.

CVE-2017-10689

When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.

When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

CVE-2020-7942

Previously, Puppet operated on the model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting strict_hostname_checking = true in puppet.conf on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.

Release Notes

puppetlabs/puppet (puppet)

`v6.25.1`

`v6.25.0`

`v6.24.0`

`v6.23.0`

`v6.22.1`

`v6.21.1`

`v6.21.0`

`v6.20.0`

`v6.19.1`

`v6.19.0`

`v6.18.0`

`v6.17.0`

`v6.16.0`

`v6.15.0`

`v6.14.0`

`v6.13.0`

`v6.12.0`

`v6.11.1`

`v6.11.0`

`v6.10.1`

`v6.10.0`

`v6.9.0`

`v6.8.1`

`v6.8.0`

`v6.7.2`

`v6.7.0`

`v6.6.0`

`v6.5.0`

`v6.4.5`

`v6.4.4`

`v6.4.3`

`v6.4.2`

`v6.4.1`

`v6.4.0`

`v6.3.0`

`v6.2.0`

`v6.1.0`

`v6.0.10`

`v6.0.9`

`v6.0.8`

`v6.0.7`

`v6.0.5`

`v6.0.4`

`v6.0.3`

`v6.0.2`

`v6.0.1`

`v6.0.0`

`v5.5.22`

`v5.5.21`

`v5.5.20`

`v5.5.19`

`v5.5.18`

`v5.5.17`

`v5.5.16`

`v5.5.14`

`v5.5.13`

`v5.5.12`

`v5.5.10`

`v5.5.8`

`v5.5.7`

`v5.5.6`

`v5.5.3`

`v5.5.2`

`v5.5.1`

`v5.5.0`

`v5.4.0`

`v5.3.7`

`v5.3.6`

`v5.3.5`

`v5.3.4`

`v5.3.3`

`v5.3.2`

`v5.3.1`

`v5.2.0`

`v5.1.0`

`v5.0.1`

`v5.0.0`

`v4.10.12`

`v4.10.11`

`v4.10.10`

`v4.10.9`

`v4.10.8`

`v4.10.7`

`v4.10.6`

`v4.10.5`

`v4.10.4`

`v4.10.1`

`v4.10.0`

`v4.9.4`

`v4.9.3`

`v4.9.2`

`v4.9.1`

`v4.9.0`

`v4.8.2`

`v4.8.1`

`v4.8.0`

`v4.7.1`

`v4.7.0`

`v4.6.2`

`v4.6.1`

`v4.5.3`

`v4.5.2`

`v4.5.1`

`v4.5.0`

`v4.4.2`

`v4.4.1`

`v4.4.0`

`v4.3.2`

`v4.3.1`

`v4.3.0`

`v4.2.3`

`v4.2.2`

`v4.2.1`

`v4.2.0`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from c019c55 to 423bb5a Compare

March 26, 2022 14:49

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from 423bb5a to da548fc Compare

April 25, 2022 01:11

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from da548fc to e31e694 Compare

May 15, 2022 21:58

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from e31e694 to acb324e Compare

June 18, 2022 17:30

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from acb324e to 7581b04 Compare

September 25, 2022 17:47

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from 7581b04 to 00b5843 Compare

November 20, 2022 10:45

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from 00b5843 to dd6d109 Compare

March 16, 2023 08:57

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from dd6d109 to 60b74ad Compare

March 24, 2023 13:42

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from 60b74ad to 5013a5b Compare

May 29, 2023 15:52

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch 2 times, most recently from e086718 to 78610ca Compare

July 11, 2023 00:00

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from 78610ca to 41c292b Compare

August 10, 2023 05:57


          Update dependency puppet to v6 [SECURITY]

11c2f99

renovate bot force-pushed the renovate/rubygems-puppet-vulnerability branch from 41c292b to 11c2f99 Compare

September 19, 2023 23:55

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.