Your submission was sent successfully! Close

CVE-2014-3250

Published: 11 December 2017

The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.

Notes

AuthorNote
sbeattie
triggered under apache 2.4 only
mdeslaur
later Debian packages don't enable SSLCARevocationCheck by
default, just simply add it as a commented-out example to the
config file. We are not going to fix this in Ubuntu 14.04 LTS.
If this is required, it can simply be added to the local
configuration.
Priority

Low

CVSS 3 base score: 6.5

Status

Package Release Status
puppet
Launchpad, Ubuntu, Debian
precise Does not exist
(precise was not-affected [apache 2.2])
trusty Ignored

upstream
Released (3.7.0-1)
vivid Not vulnerable
(3.7.2-1ubuntu2)
wily Not vulnerable

xenial Not vulnerable

yakkety Not vulnerable

zesty Not vulnerable

Patches:
upstream: https://github.com/puppetlabs/puppet/commit/b02af7e05d9b9a3bc23474933d8d7f6cd6191158
upstream: https://github.com/puppetlabs/puppet/commit/bcc6dc3207b81ab10e17c63737d18618dca05c1b
upstream: https://github.com/puppetlabs/puppet/commit/f4b479f36648576c39d8ef441d3127aa1b613189