puppetmasterd in puppet 0.24.6 does not reset supplementary groups
when it switches to a different user, which might allow local users
to access restricted files.
Seems already fixed (haven't checked), needs a GLSA vote.
According to upstream[*] this has been fixed in 0.24.8, and we do not have any version older than that in portage.
YES too, request filed.
This issue was resolved and addressed in
GLSA 201203-03 at http://security.gentoo.org/glsa/glsa-201203-03.xml
by GLSA coordinator Sean Amoss (ackle).