On February 23, 2016, libssh announced CVE-2016-0739 addressing truncated Diffie-Hellman secret lengths.
Default configurations of Puppet Enterprise are not vulnerable but shipped with vulnerable versions of libssh. This unused dependency is removed in Puppet Enterprise 2015.3.3.
For more information about the vulnerability, please refer to the libssh security announcement (https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/).
Affected Software Versions: