Posted March 14, 2016
Assessed Risk Level: Low
On February 23, 2016, libssh announced CVE-2016-0739 addressing truncated Diffie-Hellman secret lengths.
Default configurations of Puppet Enterprise are not vulnerable but shipped with vulnerable versions of libssh. This unused dependency is removed in Puppet Enterprise 2015.3.3.
For more information about the vulnerability, please refer to the libssh security announcement (https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/).
Affected Software Versions:
- Puppet Enterprise 2015.3.x prior to 2015.3.3
- Puppet Enterprise 2015.3.3