Puppet contains a flaw related to the displaying of certificate information that is triggered when parsing ANSI control sequence requests. This may allow a remote attacker to manipulate the order text is displaying on certificates, allowing them to swap the text of a valid and invalid certificate, which may potentially trick an administrator into accepting an invalid certificate.

Upgrade to Puppet to version 2.6.17 or 2.7.18 or higher and Puppet Enterprise to version 2.5.2 or higher, as they have been reported to fix this vulnerability. In addition, the vendor has released a patch for some older versions.

• CVE ID: 2012-3867 (see also: NVD)
• Secunia Advisory ID: 49863 49871 49921 50014 50284 51472
• Bugtraq ID: 54399
• Related OSVDB ID: 83692 83694 83695
• Vendor Specific News/Changelog Entry: http://lists.debian.org/debian-security-announce/2012/msg00149.html
  http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html
  http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html
  http://projects.puppetlabs.com/issues/15561
  http://www.ubuntu.com/usn/usn-1506-1/
• Vendor URL: http://puppetlabs.com/
• Vendor Specific Advisory URL: http://puppetlabs.com/security/cve/cve-2012-3867/
• RedHat RHSA: RHSA-2012-1542

• Not Available