CVE-2011-3872 Information

Description

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6 and Puppet Enterprise (PE) Users 1.0 1.1 and 1.2 before 1.2.4 when signing an agent certificate adds the Puppet master’s certdnsnames values to the X.509 Subject Alternative Name field of the certificate which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master aka \AltNames Vulnerability.\

Reference

http://groups.google.com/group/puppet-announce/browse_thread/thread/e7edc3a71348f3e1 http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/ http://secunia.com/advisories/46550 http://secunia.com/advisories/46578 http://secunia.com/advisories/46934 http://secunia.com/advisories/46964 http://www.securityfocus.com/bid/50356 http://www.ubuntu.com/usn/USN-1238-1 http://www.ubuntu.com/usn/USN-1238-2 https://exchange.xforce.ibmcloud.com/vulnerabilities/70970 https://puppet.com/security/cve/cve-2011-3872