Puppet，是基于Ruby的一个工具，您可以集中管理每一个重要方面，您的系统使用的是跨平台的规范语言，管理所有的单独的元素通常聚集在不同的文件，如用户， CRON作业，和主机一起显然离散元素，如包装，服务和文件。

Puppet的简单陈述规范语言的能力提供了强大的classing制定了主机之间的相似之处，同时使他们能够提供尽可能具体的必要的，它依赖的先决条件和对象之间的关系清楚和明确。

2012-07-10发布了最新稳定版2.7.18，上个版本是2012-06-20的2.7.17 只修正了几个安全Bug.其他产品线还是2012-04-11的2.6.16 下个产品系列3.0已发布了RC3.

完全改进请见

http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18

Security Fixes

CVE-2012-3864 Arbitrary file read on the puppet master from authenticated clients (high)

It is possible to construct an HTTP get request from an authenticated
client with a valid certificate that will return the contents of an arbitrary
file on the Puppet master that the master has read-access to. 

CVE-2012-3865 Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high)

Given a Puppet master with the "Delete" directive allowed in auth.conf
for an authenticated host, an attacker on that host can send a specially
crafted Delete request that can cause an arbitrary file deletion on the
Puppet master, potentially causing a denial of service attack. Note that
this vulnerability does *not* exist in Puppet as configured by default.

CVE-2012-3866 last_run_report.yaml is world readable (medium)

The most recent Puppet run report is stored on the Puppet master
with world-readable permissions. The report file contains the context
diffs of any changes to configuration on an agent, which may contain
sensitive information that an attacker can then access. The last run
report is overwritten with every Puppet run.

Arbitrary file read on the Puppet master by an agent (medium)

This vulnerability is dependent upon CVE-2012-3866 "last_run_report.yml
is world readable" above. By creating a hard link of a Puppet-managed
file to an arbitrary file that the Puppet master can read, an attacker forces
the contents to be written to the puppet run summary. The context diff is
stored in last_run_report.yaml, which can then be accessed by the
attacker.

CVE-2012-3867 Insufficient input validation for agent hostnames (low)

An attacker could trick the administrator into signing an attacker's
certificate rather than the intended one by constructing specially
crafted certificate requests containing specific ANSI control sequences.
It is possible to use the sequences to rewrite the order of text displayed
to an administrator such that display of an invalid certificate and valid
certificate are transposed. If the administrator signs the attacker's
certificate, the attacker can then man-in-the-middle the agent.

Agents with certnames of IP addresses can be impersonated (low)

If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog. Note: This will not be fixed in Puppet versions prior to the forthcoming 3.x. Instead, with this Puppet 2.7.18, IP-based authentication in Puppet < 3.x is deprecated, and a warning will be issued when used.


下载：http://downloads.puppetlabs.com/puppet/puppet-2.7.18.tar.gz