Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 May 2014 10:44:42 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default
 password creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is to notify the community that Red Hat has fixed  CVE-2014-0234
Installer: OpenShift Enterprise: openshift.sh default password creation.

Summary: the openshift.sh installer script created default passwords
for various services during install, this has been fixed. A current
copy of the script is available at
https://github.com/openshift/openshift-extras/blob/enterprise-2.1/enterprise/install-scripts/generic/openshift.sh

I also wanted to open up a discussion as well, what counts as shipped
software, e.g. more and more projects have a bash script linked off
the front page/install page, my take on this is if it's "officially"
endorsed by the project and prominent it should probably count as
"shipped" software and get a CVE (assuming it has a security flaw),
but we shouldn't assign CVE's to every instance of install scripts
found online (e.g. lots of them squirrelled away inside of GitHub).


- -- 
Kurt Seifried Red Hat
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJThMD6AAoJEBYNRVNeJnmTtOQP/j3JAUs08pNPXVUYoaxHRqfF
+tnbcOUkCy7JOqfnyExTjouzg3YVfPDkK2J3K+Gy1fYiFp0tFgiQfFbEwVCdn/hv
y76yULg+JaQuFdrV6hwq6If8JgP9ZraL2xmi54k5Ja1bg2ZlKBo3y0nGqe+/ocmv
4Q0DlJ+rItOL3x63UIV0evlsOcDZtxfzH3cBFV+KgSqHaO63ekkHQkC24fdAq2wA
HA5OHkIERYtoITXDLzKesJD/WJ+I+eoxxF1HQMzqAXjutGQQ8bKjS5uID0Op4X8P
lVVAHcDnAug6d+rUts7GsGKRPxmOIKVRjON3DPKHugMj4nbO5yal+tlzk3emg4vS
ILIlRm4E0jRfwQq+8u4JEDnhYyFs2ZTwS/0b+RFe5F9tMAPOanltkm9vK39b8eu9
kRKffCWAAlsx8RatJ4KOFEl6eNnwTcBMlYmpEf4sS7UPaa9/RBByU+mNMth7ApY7
NAyeXCa4jZSRvCA5he1qOr1OtSzxcgmqINiop1ntt5xT/LejpZE18HvYSJFDQtRr
JPlfXR0XOfeXxB5+Qo0t0f61o3FAUMExT2TBODzkKg/oVnDf7ZJGjcVmQ1QAgeOT
D4pXoipYKl3BpQZcoraOgnIfp0FgxmtHdv4CXIHx8lsDTrs4O4AIb9krgI3TvoDO
oFusqBwU3/mMIxdKQwE3
=pyOp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ