This message was deleted.

I could be wrong, but I don't believe we do CVE analysis for end of life versions. Both PE 2021.7.x (LTS) and 2023.x have had updates released to address this specific CVE. If 2019.8.x is affected, we would not port a fix to an unsupported release. I would say if you are using the orchestrator in 2019.8.x, you likely want to update as soon as you can, not just for the CVE, but to remain within what we can support. https://www.puppet.com/security/cve/cve-2023-2530-remote-code-execution-orchestrator Have you had any discussion with your account team on this yet?

No diskussion with the account team so far. I am with a client who has already planned to update a specific installation. If PE 2018.8.x would be affected it would give the topic more priority.

Unfortunately as mentioned, I don't think we check for CVEs on non-current versions, but I would hazard a guess that it would use the same libraries, etc. (older versions though) and would likely be affected. Is the possibility enough to help move the needle? 🙂

Yes that's enough. Will there be more background information on the CVE soon?

Possibly, yes. Let me connect you with my counterpart in your region and we can have them help you out with any more info on this.

There was a re-factoring of the scheduling system that brought the bug in with 2021.7.0, so the affected versions in the CVE note are accurate: https://www.puppet.com/security/cve/cve-2023-2530-remote-code-execution-orchestrator

Thanks for pointing this out @csharpsteen