Hi,
On 02/23/2015 11:56 AM, Stig Sandbeck Mathisen wrote:
I'm not going to add it back, but unless I'm missing something in the
scenario I've outlined above, I don't agree there are no security
implications here.
There is a bug, which should be fixed. I've upgraded it to "serious"
again, so it is "release critical".
Thanks. Can you also remove the 'wontfix' tag?
There are security implications, but as it needs administrative
privileges to your DNS server or physical access to your network to
exploit. (Or, you need to place your laptop running puppet on a hostile
network, which is more likely.)
In our environment we have systems managed centrally and systems managed
by research groups but they share the same dns domain. I don't think
they would appreciate it if their systems suddenly started to contact
our puppet server :-).
Regards,
Rik
--
Rik Theys
System Engineer
KU Leuven - Dept. Elektrotechniek (ESAT)
Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee
+32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
