Matthaus Owens
2013-Feb-14 00:49 UTC
[Puppet Users] Puppet 2.7.20 and 3.1.0 Windows packages updated for CVE-2013-0169
We have rebuilt Windows packages for Puppet 2.7.20 and 3.1.0 in response to CVE-2013-0169 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169). The packages include ruby 1.8.7-p371 compiled against openssl 1.0.0k. They are available at http://downloads.puppetlabs.com/windows Here''s a brief description of the ssl vulnerability: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Downloads =======Puppet 2.7.20: https://downloads.puppetlabs.com/windows/puppet-2.7.20-2013-02-13-1.msi Puppet 3.1.0: https://downloads.puppetlabs.com/windows/puppet-3.1.0-2013-02-13-1.msi -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.