A bug in Puppet 0.24.0 through 2.7.5 causes Puppet to insert the puppet master's DNS alt names ("certdnsnames" in puppet.conf) into the X.509 Subject Alternative Name field of all certificates, rather than just the puppet master's certificate.
Since the puppet agent daemon can use the Subject Alternative Name field to identify its puppet master, your site may contain agent certificates that can be used in a Man in the Middle (MITM) attack to impersonate the puppet master.
If your puppet master's "certdnsnames" setting has never been set during the lifetime of your site's CA, you are protected and can safely ignore this vulnerability once you've upgraded your puppet master. Otherwise, you must mitigate this vulnerability by:
Although the above mitigation will completely protect your site, you may also wish to migrate to a new CA and invalidate and re-issue all of your site's certificates. This will provide longer-term protection, will prevent your site from being accidentally returned to a vulnerable state, and will let you resume using your preferred puppet master name.
Puppet Labs has released tools to assist in mitigating the vulnerability and migrating to a new CA.