Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 06 Oct 2014 09:11:11 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org
Subject: Re: Re: CVE request for vulnerability in OpenStack
 Cinder, Nova and Trove

On 29/09/14 10:39 PM, cve-assign@...re.org wrote:
> Is this a remaining vulnerability in Cinder 2013.2.4 and
> possibly other products? If so, then we will assign another CVE ID.

The ssh_execute method is indeed prone to password leak if:
- passwords are used on the command line
- execution fail
- calling code catch and log the exception

So far investigations shows that ssh_execute usage does not contain any
passwords but we can't guarantee Cinder and Nova 2013.2.4 releases are
not affected as the vulnerable code is still there so it may be safer to
considered these releases affected.

Apologizes for the confusion,

--
Tristan Cacqueray
OpenStack Vulnerability Management Team


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.