From secunia security advisory at $URL: Description: The vulnerability is caused due to the application inserting the puppet master's DNS alt names ("certdnsnames") into the X.509 Subject Alternative Name field of the certificate issued to the puppet agent. This can be exploited to impersonate the puppet master via Man-in-the-Middle (MitM) attacks. Solution: Update to: 2.6.12 and 2.7.6
*** This bug has been marked as a duplicate of bug 388161 ***