Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 2 May 2015 04:10:45 +0200
From: Michael Scherer <misc@...b.org>
To: oss-security@...ts.openwall.com
Cc: security@...tstack.com
Subject: CVE Request / Saltstack SSL verification disabling for alibabab
 cloud module

Hi,

Could a CVE be assigned for this problem :

Saltstack do not verify certificate when connecting to Aliyun (Alibaba cloud service)
API on HTTPS
https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/aliyun.py#L724


The same issue exist for the proxmox module :
https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/proxmox.py#L115

And splunk:
https://github.com/saltstack/salt/blob/develop/salt/modules/splunk_search.py#L168


This was found by running bandit on the source code
( https://wiki.openstack.org/wiki/Security/Projects/Bandit )
-- 
Michael Scherer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ