Upstream reports: "" In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl, which defaults it to none and must be explicitly configured. This setting enables checking of a certificate revocation list. The default Puppet master vhost config shipped with Puppet does not include this setting. If a Puppet master is set up to run with Apache 2.4, and this default vhost configuration file is used, the Puppet master will continue to honor a host's certificate even after it is revoked. "" Acknowledgements: Red Hat would like to thank Puppet Labs for reporting this issue.
Created attachment 899367 [details] upstream patch
Created attachment 902402 [details] revised upstream patch
(In reply to Murray McAllister from comment #6) > Created attachment 902402 [details] > revised upstream patch A revision was not needed here. It is OK for it to be identical to the obsoleted patch.
This issue was fixed in upstream version Puppet 3.6.2. External References: http://puppetlabs.com/security/cve/CVE-2014-3250
Created puppet tracking bugs for this issue: Affects: fedora-all [bug 1107897]
Statement: Not vulnerable. This issue did not affect the versions of puppet as shipped with Red Hat Subscription Asset Manager 1.3 as they did not include puppet-server.