Posted March 14, 2016
Assessed Risk Level: Medium
On February 23, 2016, libssh2 announced CVE-2016-0787 addressing truncated Diffie-Hellman secret lengths.
The version of libssh2 used by r10k is vulnerable and has been updated in Puppet Enterprise 2015.3.3.
For more information about the vulnerability, please refer to the libssh2 security announcement (https://www.libssh2.org/adv_20160223.html).
Affected Software Versions:
- Puppet Enterprise 3.8.x
- Puppet Enterprise 2015.3.x prior to 2015.3.3
- Puppet Enterprise 2015.3.3