mirror/munki
1
0
Fork 0
mirror of https://github.com/munki/munki.git synced 2026-01-06 14:40:09 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #538 from munki/samuel-readme

Browse Source 
Update README.md
This commit is contained in:
Greg Neagle
2015-11-17 13:50:01 -08:00
parent 5a7197c690 d2bd12db33
commit ce43b4318d
1 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
README.md
View File

@@ -3,21 +3,6 @@ munki
_Managed software installation for OS X_
###Announcement
An exploit has been discovered against Munki tools older than version 2.1.
Untrusted input can be passed to the curl binary, causing arbitrary files to be downloaded to arbitrary locations.
Recommendation is to update to Munki 2.1 or later, which is not susceptible to this exploit, as version 2.1 and later no longer use the curl binary for http/https communication.
This vulnerability has been assigned a CVE ID: CVE-2015-2211
If you cannot update to Munki 2.1, there is a patch for Munki 2.0.1 here:
https://github.com/munki/munki/releases/tag/v2.0.1.2254
And another for Munki 1.0.0 here:
https://github.com/munki/munki/releases/tag/v1.0.0.1896.0
####Introduction
Munki is a set of tools that, used together with a webserver-based repository of packages and package metadata, can be used by OS X administrators to manage software installs (and in many cases removals) on OS X client machines.
@@ -41,3 +26,18 @@ If you have questions, or need additional help getting started, the [munki-dev](
Issues with MunkiWebAdmin should be discussed in its group: [munki-web-admin](https://groups.google.com/group/munki-web-admin).
![](https://github.com/munki/munki/wiki/images/managed_software_center.png)
###Announcement
An exploit has been discovered against Munki tools older than version 2.1.
Untrusted input can be passed to the curl binary, causing arbitrary files to be downloaded to arbitrary locations.
Recommendation is to update to Munki 2.1 or later, which is not susceptible to this exploit, as version 2.1 and later no longer use the curl binary for http/https communication.
This vulnerability has been assigned a CVE ID: CVE-2015-2211
If you cannot update to Munki 2.1, there is a patch for Munki 2.0.1 here:
https://github.com/munki/munki/releases/tag/v2.0.1.2254
And another for Munki 1.0.0 here:
https://github.com/munki/munki/releases/tag/v1.0.0.1896.0