MCollective 2.5.3 is a security and bug fix release in the MCollective 2.5 series. This release addresses CVE-2014-3251.
** CVE-2014-3251 ** The MCollective `aes_security` public key plugin does not correctly validate certs against the CA. By exploiting this vulnerability within a race/initialization window, an attacker with local access could initiate an unauthorized MCollective client connection with a server, and thus control the mcollective plugins running on that server. This vulnerability requires a collective be configured to use the aes_security plugin. Puppet Enterprise and open source MCollective are not configured to use the plugin and are not vulnerable by default. CVSSv2 Score: 3.4 Vector: AV:L/AC:H/Au:M/C:P/I:N/A:C/E:POC/RL:OF/RC:C Affected software versions: MCollective (all, not configured by default) Puppet Enterprise (all, not configured by default) Fixed software versions: MCollective 2.5.3 Puppet Enterprise 3.3.0 For more information on this vulnerability, please visit https://puppetlabs.com/security/cve/cve-2014-3251 Please read through the Release Notes for the full list of changes: http://docs.puppetlabs.com/mcollective/releasenotes.html To report issues with the release, file a ticket in the "MCO" project on http://tickets.puppetlabs.com/ and set the "Affects version/s" field to "2.5.3" -- Melissa Stone Release Engineer, Puppet Labs *Join us at PuppetConf 2014 <http://www.puppetconf.com/>, September 20-24 in San Francisco* *Register by July 31st to take advantage of the Early Bird discount <https://puppetconf2014.eventbrite.com/?discount=EarlyBird> **—**save $249!* -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAHEe_kq%2BnFRyA1dub1QCSdwRBZpwH_4Vg%3D9Bo7kMY1rv1Kr88A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
