Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 02 Jul 2014 17:08:56 +0200
From: Florian Weimer <>
Subject: Re: Ansible CVE requests

On 07/02/2014 04:49 PM, wrote:
>> It turns out that the fix was incomplete.
>> I think this warrants a separate CVE ID.
> Use CVE-2014-4678 for the
> fix that was announced in the 2014-06-25 ansible-announce "Ansible
> 1.6.4 update - security release" message at


> Additional CVE IDs (at least two) will be assigned for:
> A. The 2014-06-25 ansible-announce "Ansible 1.6.5 - updated security
> fix" message at

I think the change in 1.6.5 was an attempt to fix a functionality 
regression, not something that actually added restrictions to the 
sandbox.  I am aware that this assessment is at odds with what upstream 
has stated, so you might want to assign a CVE nevertheless.

Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ