OpenSSL May 2016 Security Fixes
Posted June 21, 2016
Assessed Risk Level: Low
On May 3, 2016 OpenSSL announced several vulnerabilities.
Previous versions of Puppet Enterprise shipped with a vulnerable version of OpenSSL. Of the announced vulnerabilities,the default configuration of Puppet Enterprise is only vulnerable to CVE-2016-2107. However, connections are unlikely to be negotiated with the vulnerable AES-CBC cipher, as it is far down our list of preferred ciphers.
For more information about these vulnerabilities, please refer to the OpenSSL security announcement (https://www.openssl.org/news/secadv/20160503.txt).
Affected Software Versions:
- Puppet Enterprise 3.8.x
- Puppet Enterprise 2015.x
- Puppet Enterprise 2016.x prior to 2016.2.0
- Puppet Enterprise 3.8.6
- Puppet Enterprise 2016.2.0