Posted August 15, 2013
A vulnerability in Ruby’s SSL client could allow man-in-the-middle attackers to spoof SSL servers via a valid certificate issued by a trusted certification authority. The vulnerability existed because while Ruby’s SSL client did implement a `hostname` identity check, it did not properly handle `hostnames` in certificates that contain null bytes.
- Affected Versions: Puppet Enterprise 2.8.2 and earlier, 3.0.0
- Resolved in Puppet Enterprise 2.8.3 and 3.0.1