ALAS-2012-075

Amazon Linux 1 (EOL) Security Advisory: ALAS-2012-75
Advisory Released Date: 2012-05-08
Advisory Updated Date: 2014-09-14

Severity: Medium

References: CVE-2012-1986
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.

Affected Packages:

puppet

Issue Correction:
Run yum update puppet to update your system.

New Packages:

i686:
    puppet-debuginfo-2.6.16-1.6.amzn1.i686
    puppet-2.6.16-1.6.amzn1.i686
    puppet-server-2.6.16-1.6.amzn1.i686

src:
    puppet-2.6.16-1.6.amzn1.src

x86_64:
    puppet-debuginfo-2.6.16-1.6.amzn1.x86_64
    puppet-2.6.16-1.6.amzn1.x86_64
    puppet-server-2.6.16-1.6.amzn1.x86_64

Additional References

Red Hat: CVE-2012-1986

Mitre: CVE-2012-1986