Published: 11 December 2017
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.
CVSS 3 base score: 6.5
Launchpad, Ubuntu, Debian
|Ubuntu 16.04 ESM (Xenial Xerus)||
|Ubuntu 14.04 ESM (Trusty Tahr)||
triggered under apache 2.4 only
later Debian packages don't enable SSLCARevocationCheck by default, just simply add it as a commented-out example to the config file. We are not going to fix this in Ubuntu 14.04 LTS. If this is required, it can simply be added to the local configuration.