I am using puppet 2.7.20 from rpmforge, with a build date of Wed 20 Mar 2013. EPEL has an even older version.
A very old and occasionally suspect repo (rpmforge) in terms of lack of updates (see the clamav issues a little while back). EPEL is better but stays a lot older.
Do I understand correctly, that my puppet-master is vulnerable to remote code execution by every node that has access to master's port tcp/8140?
Yes that is almost certainly the case - best to check the --changelog of the RPM you are using though.
If so, then the only option to use puppet while being safe is to use puppetlabs repo, or build puppet myself?
Using the official puppetlabs repo is the best/right answer and will allow you to be on the most recent puppet version - there are significant reasons why this is desirable.