CVE-2017-2295

NameCVE-2017-2295
DescriptionVersions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1012-1, DSA-3862-1
Debian Bugs863212

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)jessie, jessie (lts)3.7.2-4+deb8u1fixed
stretch4.8.2-5fixed
buster5.5.10-4fixed
bullseye5.5.22-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsourcewheezy2.7.23-1~deb7u4DLA-1012-1
puppetsourcejessie3.7.2-4+deb8u1DSA-3862-1
puppetsource(unstable)4.8.2-5863212

Notes

https://puppet.com/security/cve/cve-2017-2295
https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea

Search for package or bug name: Reporting problems