CVE-2013-1654 Information

Description

Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1 and Puppet Enterprise 2.7.x before 2.7.2 does not properly negotiate the SSL protocol between client and master which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors.

Reference

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/64758 https://puppetlabs.com/security/cve/cve-2013-1654/