Previous versions of Puppet Agent didn't verify the peer in the SSL connection prior to downloading the CRL. This issue is resolved in Puppet Agent 6.4.0. References: https://puppet.com/security/cve/CVE-2018-11751/
There was a period missing in the "fixed in" field, so I corrected that.
External References: https://tickets.puppetlabs.com/browse/PUP-9459
Created puppet tracking bugs for this issue: Affects: epel-7 [bug 1819340] Affects: fedora-all [bug 1819339]
This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11751