Overview

OpenSSL March 2016 Security Fixes

  • Posted March 14, 2016

  • Assessed Risk Level: Low

On March 1, 2016 OpenSSL announced several vulnerabilities.

Puppet Enterprise prior to 2015.3.3 ships with a vulnerable version of OpenSSL. Of the announced vulnerabilities, in the default configuration Puppet Enterprise is only vulnerable to CVE-2016-0702. Since SSLv2 is disabled in Puppet Enterprise and Puppet Agent we are not vulnerable to DROWN.

For more information about these vulnerabilities, please refer to the OpenSSL security announcement (http://openssl.org/news/secadv/20160301.txt).

Status:

Affected Software Versions:

  • Puppet Enterprise 3.8.x
  • Puppet Enterprise 2015.x prior to 2015.3.3

Resolved in:

  • Puppet Enterprise 2015.3.3