Ruby December 2017 Security Fixes

Overview

Ruby December 2017 Security Fixes

  • Posted February 5, 2018

  • Assessed Risk Level: Medium

On December 14, 2017 Ruby announced a vulnerability with a bundled library.

Previous versions of puppet-agent shipped with a vulnerable versions of ruby.

For more information about this vulnerability, refer to Ruby’s security announcement page. (https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/)

Status:

Affected software versions:

  • Puppet Agent versions prior to 1.10.10
  • Puppet Agent versions prior to 5.3.4
  • Puppet Enterprise versions prior to 2016.4.10
  • Puppet Enterprise versions prior to 2017.3.3

Resolved in:

  • Puppet Agent 1.10.10
  • Puppet Agent 5.3.4
  • Puppet Enterprise 2016.4.10
  • Puppet Enterprise 2017.3.3