CVE-2013-4956

NameCVE-2013-4956
DescriptionPuppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2761-1
NVD severitylow (attack range: local)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)wheezy2.7.23-1~deb7u3fixed
wheezy (security)2.7.23-1~deb7u4fixed
jessie, jessie (security)3.7.2-4+deb8u1fixed
stretch4.8.2-5fixed
buster, sid4.10.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)3.2.4-1low
puppetsourcesqueeze(not affected)
puppetsourcewheezy2.7.23-1~deb7u1lowDSA-2761-1

Notes

[squeeze] - puppet <not-affected> (puppet module not yet present)

Search for package or bug name: Reporting problems