All Puppet Enterprise deployments are vulnerable, and Puppet open
source deployments may be, depending upon their site configuration.
We believe this to be a serious risk, and we have confirmed this with
security experts outside of Puppet Labs.
For more information we have the following resources:
* Blog Post with all the details:
http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/
* Security links and details:
http://puppetlabs.com/security/cve/cve-2011-3872/
* Remediation module:
http://links.puppetlabs.com/cve20113872_remediation
As a result of this vulnerability (CVE-2011-3872) we have released new
version of Puppet.
* 2.6.12
* 2.7.6
We will be sending separate announcements about each of those releases.
Michael Stahnke
Release Manager - Puppet Labs