Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Jan 2014 13:51:47 -0700
From: "Vincent Danen" <>
To: "Open Source Security" <>
Subject: Re: CVE assignment for jinja2

On 01/11/2014, at 13:37 PM, Vincent Danen wrote:

> On 01/10/2014, at 22:34 PM, Kurt Seifried wrote:
>> dirname = '_jinja2-cache-%d' % os.getuid()
>> Arun Babu Neelicattu of Red Hat spotted this commit which introduces a
>> temporary file creation vulnerability. This issue has been assigned
>> CVE-2014-0012. For information on how to safely create temporary files
>> please see
>> For Python simply use ?mkstemp? for files and ?mkdtemp? for
>> directories from the ?tempfile? module.
> MITRE assigned CVE-2014-1402 to this yesterday:
> (the report, the followup has the CVE assignment).
> That means you'll need to reject this assignment; the commit that Arun spotted was due to the Debian bug report (which the git commit notes, and Ratul linked to in his initial CVE request to the list).

Sorry, I thought the same thing as what Ratul requested for (CVE-2014-1402) was being reported again.  This is indeed something different as the git commit to fix CVE-2014-1402 introduced this new temporary file issue.

Sorry for the noise/confusion.

Vincent Danen / Red Hat Security Response Team
Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ