Puppet, Repos, Security

Home » CentOS » Puppet, Repos, Security
CentOS 1 Comment

Hello list,

I am using puppet 2.7.20 from rpmforge, with a build date of Wed 20 Mar
2013. EPEL has an even older version. Then I see this: http://puppetlabs.com/security/cve/cve-2013-3567 that was posted on the month of July 2013.

Do I understand correctly, that my puppet-master is vulnerable to remote code execution by every node that has access to master’s port tcp/8140?

If so, then the only option to use puppet while being safe is to use puppetlabs repo, or build puppet myself?

Thank you Ignas

One thought on - Puppet, Repos, Security

  • A very old and occasionally suspect repo (rpmforge) in terms of lack of updates (see the clamav issues a little while back). EPEL is better but stays a lot older.

    Yes that is almost certainly the case – best to check the –changelog of the RPM you are using though.

    Using the official puppetlabs repo is the best/right answer and will allow you to be on the most recent puppet version – there are significant reasons why this is desirable.