On March 1, 2016 OpenSSL announced several vulnerabilities.
Puppet Enterprise prior to 2015.3.3 ships with a vulnerable version of OpenSSL. Of the announced vulnerabilities, in the default configuration Puppet Enterprise is only vulnerable to CVE-2016-0702. Since SSLv2 is disabled in Puppet Enterprise and Puppet Agent we are not vulnerable to DROWN.
For more information about these vulnerabilities, please refer to the OpenSSL security announcement (http://openssl.org/news/secadv/20160301.txt).
Affected Software Versions: