Date: Wed, 2 Jul 2014 10:49:02 -0400 (EDT) From: cve-assign@...re.org To: fweimer@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, misc@...b.org Subject: Re: Ansible CVE requests -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It turns out that the fix was incomplete. > I think this warrants a separate CVE ID. Use CVE-2014-4678 for the https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916 fix that was announced in the 2014-06-25 ansible-announce "Ansible 1.6.4 update - security release" message at https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ (CVE-2014-4678 exists because of an incomplete fix for CVE-2014-4657.) Additional CVE IDs (at least two) will be assigned for: A. The 2014-06-25 ansible-announce "Ansible 1.6.5 - updated security fix" message at https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ B. The 2014-07-01 ansible-announce "Ansible 1.6.6 - refinements to previous security fixes" message at https://groups.google.com/forum/message/raw?msg=ansible-announce/WKL7BY3qddo/JkJiNrZzy3AJ (At least for item B, there may have been distinct problems reported by distinct discoverers, and per-discoverer CVE assignments may be best if that information is available. It seems likely that that information won't be available at the time when the CVEs are needed -- and probably individual independent researchers won't be publishing separate advisories about subsets of the safe_eval problem -- so one CVE ID for A and one CVE ID for B is a realistic outcome.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTtBt6AAoJEKllVAevmvmsSLgIAKiP7W7Zu3c0u52+cim/ZY0c q6tjLtdGtkIGt6o1Y5MzLmmSXBSxKeTIiADRj4apRD8iUGLMz8KidsuWb+AgKvZC g+yxAqPwiGdyLshLKyegaUwDSZE2qdvYxDB2evTd8NPXyWpauyx4xBSgsFtuIehc aijeIQtcPok6sm4oPBFzymBGjb1PlufTOfAzciUQBs96IFnD3BsTEejCo6lBwM1X u8FOkMC4sIp98riL1r2eJhJ1ayX7/eFX2cW58VnQTCjL9SWcNE8WPWwcJJ+d5kpE zhUQM4jsJ+9uape9wYNcncyrnEYfC9KwVr2cdjzEGmtFG2t556cpx5TBbhBbo00= =OI7a -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ