A bug in Puppet allows agents with certnames of IP addresses to be impersonated.
This vulnerability exists in setups where certnames are set to host IP addresses. If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host’s former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host’s catalog. Note that IP-based authentication will be disabled in Puppet 3.x, but will not be disabled in prior versions. Instead, with this announcement IP-based authentication in Puppet < 3.x is deprecated, and using IP-based authentication in 2.7.x will result in a deprecation warning. This considered a low-risk vulnerability.
Please see the release notes  for more details.
Status: CLOSED WONTFIX
This was only addressed in 2.7. It was not really fixed, the change rather introduces deprecation warning:
No real fix is planned for this issue in puppet 2.x versions. Hence no update is planned for Red Hat products that include puppet 2.x versions to address this problem.
Thanks for the report, taaroa.
We will just mark this bug depending on bug 425112 and finish the process there.
sorry for delay.
2.7.18 in cvs. please mark stable 2.7.18.
lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet
Enterprise before 2.5.2, supports use of IP addresses in certnames without
warning of potential risks, which might allow remote attackers to spoof an
agent by acquiring a previously used IP address.
Thanks, folks. GLSA Vote: no.
GLSA vote: no.