Package: facter Version: 2.2.0-1 Severity: critical Tags: security upstream Justification: root security hole
Dear Maintainer, Due to https://tickets.puppetlabs.com/browse/FACT-800, Facter caches IAM role AKID/SAKID and Token under ec2_metadata fact. Facts are stored under /var/lib/puppet/yaml/facts/$nodename.yaml however facts can be reported by report processors to less authorised systems potentially allowing abuse of authentication information against AWS API. All current Jessie Puppet systems store this authentication information under the ec2_metadata fact on disk and reported via any custom or Puppet report processing. Debian Release: 8.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages facter depends on: ii bind9-host [host] 1:9.9.5.dfsg-9+deb8u12 ii net-tools 1.60-26+b1 ii ruby 1:2.1.5+deb8u2 ii ruby-json 1.8.1-1+b2 ii ruby2.1 [ruby-interpreter] 2.1.5-2+deb8u3 Versions of packages facter recommends: ii dmidecode 2.12-3 ii pciutils 1:3.2.1-3 ii virt-what 1.14-1 facter suggests no packages. -- no debconf information
