Date: Tue, 27 May 2014 10:44:42 -0600 From: Kurt Seifried <kseifried@...hat.com> To: Open Source Security <oss-security@...ts.openwall.com> Subject: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is to notify the community that Red Hat has fixed CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation. Summary: the openshift.sh installer script created default passwords for various services during install, this has been fixed. A current copy of the script is available at https://github.com/openshift/openshift-extras/blob/enterprise-2.1/enterprise/install-scripts/generic/openshift.sh I also wanted to open up a discussion as well, what counts as shipped software, e.g. more and more projects have a bash script linked off the front page/install page, my take on this is if it's "officially" endorsed by the project and prominent it should probably count as "shipped" software and get a CVE (assuming it has a security flaw), but we shouldn't assign CVE's to every instance of install scripts found online (e.g. lots of them squirrelled away inside of GitHub). - -- Kurt Seifried Red Hat PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJThMD6AAoJEBYNRVNeJnmTtOQP/j3JAUs08pNPXVUYoaxHRqfF +tnbcOUkCy7JOqfnyExTjouzg3YVfPDkK2J3K+Gy1fYiFp0tFgiQfFbEwVCdn/hv y76yULg+JaQuFdrV6hwq6If8JgP9ZraL2xmi54k5Ja1bg2ZlKBo3y0nGqe+/ocmv 4Q0DlJ+rItOL3x63UIV0evlsOcDZtxfzH3cBFV+KgSqHaO63ekkHQkC24fdAq2wA HA5OHkIERYtoITXDLzKesJD/WJ+I+eoxxF1HQMzqAXjutGQQ8bKjS5uID0Op4X8P lVVAHcDnAug6d+rUts7GsGKRPxmOIKVRjON3DPKHugMj4nbO5yal+tlzk3emg4vS ILIlRm4E0jRfwQq+8u4JEDnhYyFs2ZTwS/0b+RFe5F9tMAPOanltkm9vK39b8eu9 kRKffCWAAlsx8RatJ4KOFEl6eNnwTcBMlYmpEf4sS7UPaa9/RBByU+mNMth7ApY7 NAyeXCa4jZSRvCA5he1qOr1OtSzxcgmqINiop1ntt5xT/LejpZE18HvYSJFDQtRr JPlfXR0XOfeXxB5+Qo0t0f61o3FAUMExT2TBODzkKg/oVnDf7ZJGjcVmQ1QAgeOT D4pXoipYKl3BpQZcoraOgnIfp0FgxmtHdv4CXIHx8lsDTrs4O4AIb9krgI3TvoDO oFusqBwU3/mMIxdKQwE3 =pyOp -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ