Overview

Ruby September 2017 Security Fixes

  • Posted November 7, 2017

  • Assessed Risk Level: Medium

On September 19, 2017 Nokogiri announced several vulnerabilities.

Previous versions of Puppet-agent and PDK shipped with a vulnerable versions of ruby.

For more information about this vulnerability, refer to the Ruby 2.4.2 release page. (https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released/)

Status:

Affected software versions:

  • Puppet Agent versions prior to 1.10.9
  • Puppet Agent versions prior to 5.3.3
  • PDK versions prior to 1.2.1
  • Puppet Enterprise versions prior to 2016.4.9
  • Puppet Enterprise versions prior to 2017.2.5
  • Puppet Enterprise versions prior to 2017.3.2

Resolved in:

  • Puppet Agent 1.10.9
  • Puppet Agent 5.3.3
  • PDK 1.2.1
  • Puppet Enterprise 2016.4.9
  • Puppet Enterprise 2017.2.5
  • Puppet Enterprise 2017.3.2