CVE-2021-27023 (https://puppet.com/security/cve/CVE-2021-27023): A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007 CVE-2021-27025 (https://puppet.com/security/cve/cve-2021-27025): A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'. (CCing graaff@ because it looks like CVE-2021-27025 affects Puppet 5 too?)
(In reply to Sam James from comment #0) > CVE-2021-27023 (https://puppet.com/security/cve/CVE-2021-27023): > > A flaw was discovered in Puppet Agent and Puppet Server that may result in a > leak of HTTP credentials when following HTTP redirects to a different host. > This is similar to CVE-2018-1000007 > > CVE-2021-27025 (https://puppet.com/security/cve/cve-2021-27025): > > A flaw was discovered in Puppet Agent where the agent may silently ignore > Augeas settings or may be vulnerable to a Denial of Service condition prior > to the first 'pluginsync'. > > (CCing graaff@ because it looks like CVE-2021-27025 affects Puppet 5 too?) Yes, looks like Puppet 5 is also affected, with no fixes from upstream. Backporting looks tricky, also because the security fix is part of a larger squashed merge commit so it's hard to tell what is actually needed.