CVE-2012-3867

Publication date 12 July 2012

Last updated 24 July 2024

Ubuntu priority

lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
puppet	12.04 LTS precise	Fixed 2.7.11-1ubuntu2.1
	11.10 oneiric	Fixed 2.7.1-1ubuntu3.7
	11.04 natty	Fixed 2.6.4-2ubuntu2.10
	10.04 LTS lucid	Fixed 0.25.4-2ubuntu6.8
	8.04 LTS hardy	Ignored end of life

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1506-1
Puppet vulnerabilities
12 July 2012

Other references

http://puppetlabs.com/security/cve/cve-2012-3867/
https://www.cve.org/CVERecord?id=CVE-2012-3867