CVE-2013-1654

Priority
Description
Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise
2.7.x before 2.7.2, does not properly negotiate the SSL protocol between
client and master, which allows remote attackers to conduct SSLv2 downgrade
attacks against SSLv3 sessions via unspecified vectors.
Assigned-to
mdeslaur
Notes
mdeslaurUpstream no longer supports 0.25.x as found in lucid. The code
is substantially different, rendering a backport of this
security update difficult. Since puppet in Lucid is almost
end-of-life, we aren't planning on backporting the security fix
to it. For Lucid users, we recommend using puppet
2.7.1-1ubuntu3.8~ubuntu10.04.1 currently in lucid-backports.
Package
Upstream:released (2.6.18, 2.7.21, 3.1.1)
More Information

Updated: 2019-12-05 21:03:10 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)