Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Jul 2014 10:49:02 -0400 (EDT)
From: cve-assign@...re.org
To: fweimer@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, misc@...b.org
Subject: Re: Ansible CVE requests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It turns out that the fix was incomplete.

> I think this warrants a separate CVE ID.

Use CVE-2014-4678 for the
https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916
fix that was announced in the 2014-06-25 ansible-announce "Ansible
1.6.4 update - security release" message at
https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ

(CVE-2014-4678 exists because of an incomplete fix for CVE-2014-4657.)

Additional CVE IDs (at least two) will be assigned for:

A. The 2014-06-25 ansible-announce "Ansible 1.6.5 - updated security
fix" message at
https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ

B. The 2014-07-01 ansible-announce "Ansible 1.6.6 - refinements to
previous security fixes" message at
https://groups.google.com/forum/message/raw?msg=ansible-announce/WKL7BY3qddo/JkJiNrZzy3AJ

(At least for item B, there may have been distinct problems reported
by distinct discoverers, and per-discoverer CVE assignments may be
best if that information is available. It seems likely that that
information won't be available at the time when the CVEs are needed --
and probably individual independent researchers won't be publishing
separate advisories about subsets of the safe_eval problem -- so one
CVE ID for A and one CVE ID for B is a realistic outcome.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTtBt6AAoJEKllVAevmvmsSLgIAKiP7W7Zu3c0u52+cim/ZY0c
q6tjLtdGtkIGt6o1Y5MzLmmSXBSxKeTIiADRj4apRD8iUGLMz8KidsuWb+AgKvZC
g+yxAqPwiGdyLshLKyegaUwDSZE2qdvYxDB2evTd8NPXyWpauyx4xBSgsFtuIehc
aijeIQtcPok6sm4oPBFzymBGjb1PlufTOfAzciUQBs96IFnD3BsTEejCo6lBwM1X
u8FOkMC4sIp98riL1r2eJhJ1ayX7/eFX2cW58VnQTCjL9SWcNE8WPWwcJJ+d5kpE
zhUQM4jsJ+9uape9wYNcncyrnEYfC9KwVr2cdjzEGmtFG2t556cpx5TBbhBbo00=
=OI7a
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ