Facter 1.7.6 is a security fix release in the Facter 1.7 series. The Facter 1.7 series was incorrectly omitted from the original security announcement for Facter. This release addresses CVE-2014-3248. It has no other bug fixes or new features. All users of Facter 1.7.5 and earlier are encouraged to update to 1.7.6.
** CVE-2014-3248 ** Arbitrary Code Execution with Required Social Engineering An attacker could convince an administrator to unknowingly create and execute malicious code on platforms with Ruby 1.9.1 and earlier. CVSSv2 Score: 5.2 Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C Affected Facter versions (ruby 1.9.1 and earlier only): 2.x 1.7.x 1.6.x Fixed Facter versions: 1.7.6, 2.0.2 See the Release Notes here: http://docs.puppetlabs.com/facter/1.7/release_notes.html#facter-176 For more information on this vulnerability, please visit https://puppetlabs.com/security/cve/cve-2014-3248 To report issues with the release, file a ticket in the "FACT" project on http://tickets.puppetlabs.com/ and set the "Affects version/s" field to "1.7.6" -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAHEe_kqvHD-rq-sTEFqA%2BnUmqfMSru97aH2GbGVOxRV9coLN0w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
