Puppet 2.7.21 is now available. 2.7.21 addresses several security vulnerabilities discovered in the 2.7.x line of Puppet. These vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640, CVE-2013-1652, CVE-2013-1653, CVE-2013-1654, CVE-2013-1655 and CVE-2013-2275.
All users of Puppet 2.7.20 and earlier who cannot upgrade to the current version of Puppet, 3.1.1, are strongly encouraged to upgrade to 2.7.21. For more information on these vulnerabilities, please visit http://puppetlabs.com/security, or visit http://puppetlabs.com/security/cve/cve-2013-1640, http://puppetlabs.com/security/cve/cve-2013-1652, http://puppetlabs.com/security/cve/cve-2013-1653, http://puppetlabs.com/security/cve/cve-2013-1654, http://puppetlabs.com/security/cve/cve-2013-1655, and http://puppetlabs.com/security/cve/cve-2013-2275. Downloads are available at: * Source https://downloads.puppetlabs.com/puppet/puppet-2.7.21.tar.gz Windows package is available at https://downloads.puppetlabs.com/windows/puppet-2.7.21.msi RPMs are available at https://yum.puppetlabs.com/el or /fedora Debs are available at https://apt.puppetlabs.com Mac package is available at https://downloads.puppetlabs.com/mac/puppet-2.7.21.dmg Gems are available via rubygems at https://rubygems.org/downloads/puppet-2.7.21.gem or by using `gem install puppet --version=2.7.21` See the Verifying Puppet Download section at: https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.7.21: http://projects.puppetlabs.com/projects/puppet/ ## Changelog ## Andrew Parker (2): cf6cf81 (#14093) Remove unsafe attributes from TemplateWrapper bd942ec (#14093) Restore access to the filename in the template Jeff McCune (2): be920ac (#19151) Reject SSLv2 SSL handshakes and ciphers 632e12d (#19531) (CVE-2013-2275) Only allow report save from the node matching the certname Josh Cooper (8): 7df884b Fix module tool acceptance test 0f4ac20 Run openssl from windows when trying to downgrade master 9cbfb9d Remove unnecessary rubygems require 70cdc63 Don't assume puppetbindir is defined 12728c0 Display SSL messages so we can match our regex 60eebed Don't require openssl client to return 0 on failure a1c4abd Don't assume master supports SSLv2 3ecd376 (#19391) Find the catalog for the specified node name Justin Stoller (2): 79b875e Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654, 2274, 2275) 7d62aa0 Separate tests for same CVEs into separate files Moses Mendoza (2): 4b0a7e2 Add missing 2.7.20 CHANGELOG entries 24d45dc Update CHANGELOG, PUPPETVERSION for 2.7.21 Nick Lewis (3): f2a3d5c (#19393) Safely load YAML from the network a3d3c95 Always read request body when using Rack 61109fa Fix order-dependent test failure in rest_authconfig_spec Patrick Carlisle (3): 516142e (#19391) (CVE-2013-1652) Disallow use_node compiler parameter for remote requests 0a7d61f (#19392) (CVE-2013-1653) Validate instances passed to indirector c240299 (#19392) Don't validate key for certificate_status Pieter van de Bruggen (1): 4a272ea Updating module tool acceptance tests with new expectations. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
