Date: Wed, 02 Jul 2014 17:08:56 +0200 From: Florian Weimer <fweimer@...hat.com> To: cve-assign@...re.org CC: oss-security@...ts.openwall.com, misc@...b.org Subject: Re: Ansible CVE requests On 07/02/2014 04:49 PM, cve-assign@...re.org wrote: >> It turns out that the fix was incomplete. > >> I think this warrants a separate CVE ID. > > Use CVE-2014-4678 for the > https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916 > fix that was announced in the 2014-06-25 ansible-announce "Ansible > 1.6.4 update - security release" message at > https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ Thanks. > Additional CVE IDs (at least two) will be assigned for: > > A. The 2014-06-25 ansible-announce "Ansible 1.6.5 - updated security > fix" message at > https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ I think the change in 1.6.5 was an attempt to fix a functionality regression, not something that actually added restrictions to the sandbox. I am aware that this assessment is at odds with what upstream has stated, so you might want to assign a CVE nevertheless. -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ