Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 02 Jul 2014 17:08:56 +0200
From: Florian Weimer <fweimer@...hat.com>
To: cve-assign@...re.org
CC: oss-security@...ts.openwall.com, misc@...b.org
Subject: Re: Ansible CVE requests

On 07/02/2014 04:49 PM, cve-assign@...re.org wrote:
>> It turns out that the fix was incomplete.
>
>> I think this warrants a separate CVE ID.
>
> Use CVE-2014-4678 for the
> https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916
> fix that was announced in the 2014-06-25 ansible-announce "Ansible
> 1.6.4 update - security release" message at
> https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ

Thanks.

> Additional CVE IDs (at least two) will be assigned for:
>
> A. The 2014-06-25 ansible-announce "Ansible 1.6.5 - updated security
> fix" message at
> https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ

I think the change in 1.6.5 was an attempt to fix a functionality 
regression, not something that actually added restrictions to the 
sandbox.  I am aware that this assessment is at odds with what upstream 
has stated, so you might want to assign a CVE nevertheless.

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ