OpenSSL March 2016 Security Fixes
Posted March 14, 2016
Assessed Risk Level: Low
On March 1, 2016 OpenSSL announced several vulnerabilities.
Puppet Enterprise prior to 2015.3.3 ships with a vulnerable version of OpenSSL. Of the announced vulnerabilities, in the default configuration Puppet Enterprise is only vulnerable to CVE-2016-0702. Since SSLv2 is disabled in Puppet Enterprise and Puppet Agent we are not vulnerable to DROWN.
For more information about these vulnerabilities, please refer to the OpenSSL security announcement (http://openssl.org/news/secadv/20160301.txt).
Affected Software Versions:
- Puppet Enterprise 3.8.x
- Puppet Enterprise 2015.x prior to 2015.3.3
- Puppet Enterprise 2015.3.3