Overview

OpenSSL May 2016 Security Fixes

  • Posted June 21, 2016

  • Assessed Risk Level: Low

On May 3, 2016 OpenSSL announced several vulnerabilities.

Previous versions of Puppet Enterprise shipped with a vulnerable version of OpenSSL. Of the announced vulnerabilities,the default configuration of Puppet Enterprise is only vulnerable to CVE-2016-2107. However, connections are unlikely to be negotiated with the vulnerable AES-CBC cipher, as it is far down our list of preferred ciphers.

For more information about these vulnerabilities, please refer to the OpenSSL security announcement (https://www.openssl.org/news/secadv/20160503.txt).

Status:

Affected Software Versions:

  • Puppet Enterprise 3.8.x
  • Puppet Enterprise 2015.x
  • Puppet Enterprise 2016.x prior to 2016.2.0

Resolved in:

  • Puppet Enterprise 3.8.6
  • Puppet Enterprise 2016.2.0