Published: 11 December 2017
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.
triggered under apache 2.4 only
later Debian packages don't enable SSLCARevocationCheck by default, just simply add it as a commented-out example to the config file. We are not going to fix this in Ubuntu 14.04 LTS. If this is required, it can simply be added to the local configuration.
Launchpad, Ubuntu, Debian
Does not exist
(precise was not-affected [apache 2.2])
Severity score breakdown