Puppet 3.1.1 is now available. 3.1.1 addresses several security vulnerabilities discovered in the 3.x line of Puppet. These vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640, CVE-2013-1652, CVE-2013-1653, CVE-2013-1654, CVE-2013-1655 and CVE-2013-2275.
All users of Puppet 3.1.0 and earlier are strongly encouraged to upgrade to 3.1.1. For more information on these vulnerabilities, please visit http://puppetlabs.com/security, or visit http://puppetlabs.com/security/cve/cve-2013-1640, http://puppetlabs.com/security/cve/cve-2013-1652, http://puppetlabs.com/security/cve/cve-2013-1653, http://puppetlabs.com/security/cve/cve-2013-1654, http://puppetlabs.com/security/cve/cve-2013-1655, and http://puppetlabs.com/security/cve/cve-2013-2275. Downloads are available at: * Source https://downloads.puppetlabs.com/puppet/puppet-3.1.1.tar.gz Windows package is available at https://downloads.puppetlabs.com/windows/puppet-3.1.1.msi RPMs are available at https://yum.puppetlabs.com/el or /fedora Debs are available at https://apt.puppetlabs.com Mac package is available at https://downloads.puppetlabs.com/mac/puppet-3.1.1.dmg Gems are available via rubygems at https://rubygems.org/downloads/puppet-3.1.1.gem or by using `gem install puppet --version=3.1.1` See the Verifying Puppet Download section at: https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 3.1.1: http://projects.puppetlabs.com/projects/puppet/ ## Changelog ## Andrew Parker (3): 3b0178f (#14093) Cleanup tests for template functionality 4ca17d9 (#14093) Remove unsafe attributes from TemplateWrapper f1d0731 (#14093) Restore access to the filename in the template Jeff McCune (2): 52be043 (#19151) Reject SSLv2 SSL handshakes and ciphers b9023b0 (#19531) (CVE-2013-2275) Only allow report save from the node matching the certname Josh Cooper (7): f63ed48 Fix module tool acceptance test c42e608 Run openssl from windows when trying to downgrade master 8d199b2 Remove unnecessary rubygems require 3e493e1 Don't assume puppetbindir is defined 166bf79 Display SSL messages so we can match our regex 0328aaf Don't require openssl client to return 0 on failure 406725d Don't assume master supports SSLv2 Justin Stoller (6): cb607d9 Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654, 2274, 2275) 611b12d Separate tests for same CVEs into separate files f6e1987 We can ( and should ) use grep instead of grep -E 672af80 add quotes around paths for windows interop 28d80f0 remove tests that do not run on 3.1+ b87b719 run curl against the master on the master Moses Mendoza (1): 6c3dd98 Update PUPPETVERSION for 3.1.1 Nick Lewis (3): 940594b (#19393) Safely load YAML from the network 7da9559 Always read request body when using Rack 8f82131 Fix order-dependent test failure in network/authorization_spec Patrick Carlisle (3): eef6d38 (#19391) (CVE-2013-1652) Disallow use_node compiler parameter for remote requests f877cf5 (#19392) (CVE-2013-1653) Validate instances passed to indirector eb71909 (#19392) Don't validate key for certificate_status Pieter van de Bruggen (1): f6dbe99 Updating module tool acceptance tests with new expectations. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
