Overview

  • Posted March 14, 2016

  • Assessed Risk Level: Low

On February 23, 2016, libssh announced CVE-2016-0739 addressing truncated Diffie-Hellman secret lengths.

Default configurations of Puppet Enterprise are not vulnerable but shipped with vulnerable versions of libssh. This unused dependency is removed in Puppet Enterprise 2015.3.3.

For more information about the vulnerability, please refer to the libssh security announcement (https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/).

Status:

Affected Software Versions:

  • Puppet Enterprise 2015.3.x prior to 2015.3.3

Resolved in:

  • Puppet Enterprise 2015.3.3