Source: puppet-module-puppetlabs-apache Version: 1.1.1-1 Severity: important Tags: security upstream patch
Hi, the following vulnerability was published for puppet-module-puppetlabs-apache. CVE-2017-2299[0]: | Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0 | make it very easy to accidentally misconfigure TLS trust. If you | specify the `ssl_ca` parameter but do not specify the `ssl_certs_dir` | parameter, a default will be provided for the `ssl_certs_dir` that | will trust certificates from any of the system-trusted certificate | authorities. This did not affect FreeBSD. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-2299 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2299 [1] https://puppet.com/security/cve/CVE-2017-2299 [2] https://github.com/puppetlabs/puppetlabs-apache/commit/7bb35c2293c12ce52329a4391fe1f20389efef06 Regards, Salvatore