Bug#863212: marked as done (puppet: CVE-2017-2295: unsafe YAML deserialization)

[Debian Bug Tracking System]

Your message dated Tue, 23 May 2017 21:06:38 +0000
with message-id <e1ddh0o-000ffm...@fasolo.debian.org>
and subject line Bug#863212: fixed in puppet 4.8.2-5
has caused the Debian Bug report #863212,
regarding puppet: CVE-2017-2295: unsafe YAML deserialization
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863212
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: puppet
Version: 3.7.2-1
Severity: grave
Tags: upstream security patch

Hi,

the following vulnerability was published for puppet.

CVE-2017-2295[0]:
Unsafe YAML deseralization

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-2295
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2295
[1] https://puppet.com/security/cve/cve-2017-2295
[2] 
https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: puppet
Source-Version: 4.8.2-5

We believe that the bug you reported is fixed in the latest version of
puppet, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoi...@debian.org> (supplier of updated puppet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 23 May 2017 23:17:46 +0300
Source: puppet
Binary: puppet puppet-master puppetmaster puppet-master-passenger 
puppetmaster-passenger puppet-common
Architecture: source all
Version: 4.8.2-5
Distribution: unstable
Urgency: high
Maintainer: Puppet Package Maintainers 
<pkg-puppet-de...@lists.alioth.debian.org>
Changed-By: Apollon Oikonomopoulos <apoi...@debian.org>
Description:
 puppet     - configuration management system
 puppet-common - transitional dummy package
 puppet-master - configuration management system, master service
 puppet-master-passenger - configuration management system, scalable master 
service
 puppetmaster - configuration management system, master service - transitional 
pa
 puppetmaster-passenger - configuration management system, scalable master 
service - transi
Closes: 863212
Changes:
 puppet (4.8.2-5) unstable; urgency=high
 .
   * master: accept facts only in PSON format (CVE-2017-2295) (Closes:
     #863212).
Checksums-Sha1:
 bf4e28dfd0c09a509a3a2e7c27b6aea5718df293 2524 puppet_4.8.2-5.dsc
 e2f8c013316dadf0923b191243615ef428cffc21 37756 puppet_4.8.2-5.debian.tar.xz
 fe7cabdc8b629045ff89e917a38bc9c3259f0396 23590 puppet-common_4.8.2-5_all.deb
 47122b89d464dcc8f3e2fc17c73f33691ba18276 27226 
puppet-master-passenger_4.8.2-5_all.deb
 7ffcf144c1e7f7a1202bbb62746313432a3f515c 26140 puppet-master_4.8.2-5_all.deb
 b134e72ebf28718171edb009d14da8766f0952a8 1122848 puppet_4.8.2-5_all.deb
 b393786913df378127863782a67675d350af2b7d 8054 puppet_4.8.2-5_amd64.buildinfo
 9692ef7d80d27d5977e4bffa7d6933a6464e0e80 22916 
puppetmaster-passenger_4.8.2-5_all.deb
 04f0cbd9721eeaac3f208c4da389ba823739cb00 23092 puppetmaster_4.8.2-5_all.deb
Checksums-Sha256:
 13925c5d2f4093e8e5ae1c5e672bcf50306bedff6a13b392287cb4ccbbbd382a 2524 
puppet_4.8.2-5.dsc
 02916abb3e20c698279b837f32ca880a75c1d5d656c695854e9f34f318bf59c6 37756 
puppet_4.8.2-5.debian.tar.xz
 759506391f933af9feb8253b7aaa5989185eae6fe127fdd8e47567af204a79fb 23590 
puppet-common_4.8.2-5_all.deb
 e08faae64542326cd46f5564d3fd27615681aa29ae8de112018ba242ce142650 27226 
puppet-master-passenger_4.8.2-5_all.deb
 3aab5db2d6cb4556068c3f3a402b5c438cadaca57f8696036b77def28c7a82a2 26140 
puppet-master_4.8.2-5_all.deb
 6e00516561dc120e94697bab66cd55b63ec2e4f5fcf61e534b06ff8f6cc6b895 1122848 
puppet_4.8.2-5_all.deb
 7ff0c6d01b7c518ba84b60a60700ce428cafe9cebf778d84779529bcc70cc076 8054 
puppet_4.8.2-5_amd64.buildinfo
 ef17a6b742c43edc176111350f407be674c94484cdebc89a3208b4d7988dc065 22916 
puppetmaster-passenger_4.8.2-5_all.deb
 277d226ef1816a428009e887f7abfcf2fea47499e102177078f646396a1536ef 23092 
puppetmaster_4.8.2-5_all.deb
Files:
 d1bb290d0116442a22444ef514d339ee 2524 admin optional puppet_4.8.2-5.dsc
 c3717d442e18964f93d1270e39de7ec8 37756 admin optional 
puppet_4.8.2-5.debian.tar.xz
 8e8fae86283402ee14925e2486be510c 23590 oldlibs extra 
puppet-common_4.8.2-5_all.deb
 5b4b63935b01ef4b49a223290ccb3b44 27226 admin optional 
puppet-master-passenger_4.8.2-5_all.deb
 c51a725910b4aa9aad8f4ec2ec08954c 26140 admin optional 
puppet-master_4.8.2-5_all.deb
 63af0b28272b0ff8dc528bccf9a48412 1122848 admin optional puppet_4.8.2-5_all.deb
 e9547b228967c18cc5079a3013cd4536 8054 admin optional 
puppet_4.8.2-5_amd64.buildinfo
 09d45c05c34b1ee41e6ce8efb8a0b473 22916 oldlibs extra 
puppetmaster-passenger_4.8.2-5_all.deb
 46b4bae926badae6e78d5bd08a315657 23092 oldlibs extra 
puppetmaster_4.8.2-5_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAlkkmTkACgkQ9RsYxyAk
giRp4A/+OVNYac4wOsRBCMOuIPlBev1IsE0nZI+H9CZrZKL9HSoUbJnhkl58wHDH
mCnVTqiB16E/NjcYW99s5t9SvGM7cR9G0KkOL6z7OrwNUjvtgvWfxAu1U22rqNxJ
6NL5nl8WfFyZTE2Df5dmtz/gRqn5rf1riAhq+7s6UeuwBXq9rFBwbo9Qebd0KiQW
0oc1+ikTOLSGjtJVyHOYlKfBwxO/L8wP1F9CHzTssRN/5OfVnOtigGlC+RdTVR9j
KEaA3WSjSR2ZRODRu0LRaFowaWwWrkUknYqLV4sO7btoEkQzp5dwCaU/eWakDXvz
jMKDYX0NlWvA2zXK5tta0e4ELnpSYH5l8F+hddmED2JqIUJJuJcj3AuftwTg8FEf
ZFbDaGiW9hw8K0/0ikpxc+F/Ebio55aD5vSn3Ch9ehSDk+bFf5zbm1IC2RYtjnv8
mcTqlspv3b6RbfqUXzZ2sy5pKfXGpivoPso5lP9LxEKyiw0+0LIv8oTiGpBO8VUC
RnMOEM+O+0VG9a3bzHEDCejZXB7HUtgMZMoEdg8YkAeX5o+XS6BLII/a0iSqcjXt
e6MAx9PIDaY+aXHZZ7d2PIDsoOpB5WQ/NzzWiidKwXPmipJOok8gc1ZQhvx+JYOA
qWk5s/8ihgzP1UhELCtYWrwEvCMufHrmMORf7r243e/6HqjKMP4=
=/be5
-----END PGP SIGNATURE-----

--- End Message ---