We have rebuilt Windows packages for Puppet 2.7.20 and 3.1.0 in response to CVE-2013-0169 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169). The packages include ruby 1.8.7-p371 compiled against openssl 1.0.0k. They are available at http://downloads.puppetlabs.com/windows
Here's a brief description of the ssl vulnerability: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Downloads ======== Puppet 2.7.20: https://downloads.puppetlabs.com/windows/puppet-2.7.20-2013-02-13-1.msi Puppet 3.1.0: https://downloads.puppetlabs.com/windows/puppet-3.1.0-2013-02-13-1.msi -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
