CVE-2013-1654 (SSL Protocol Downgrade Vulnerability)

  • Posted March 12, 2013

  • A vulnerability has been found in Puppet that could allow a client negotiating a connection to a master to downgrade the master's SSL protocol to SSLv2. This protocol has been found to contain design weaknesses (visit this page for more information). This issue only affects systems running older versions (pre 1.0.0) of openSSL. Newer versions explicitly disable SSLv2.


    • Resolved in Puppet 2.6.18, 2.7.21, 3.1.1, Puppet Enterprise 1.2.7, 2.7.2