Posted March 14, 2016
Assessed Risk Level: Medium
On February 11, 2016 PostgreSQL announced CVE-2016-0773 addressing a vulnerability in regular expression parsing.
Puppet Enterprise 2015.x and 3.8.x contained a vulnerable version of PostgreSQL that allows for a Denial of Service attacks against PuppetDB and the Puppet Enterprise console. Puppet Enterprise 2015.3.3 includes an updated version of PostgreSQL to address this vulnerability.
For more information about the vulnerability, please refer to the PostgreSQL security announcement (http://www.postgresql.org/about/news/1644/).
Affected Software Versions:
- Puppet Enterprise 3.8.x
- Puppet Enterprise 2015.x prior to 2015.3.3
- Puppet Enterprise 2015.3.3