Date: Mon, 18 May 2015 17:01:06 -0600 From: Colton Myers <colton@...tstack.com> To: Michael Scherer <misc@...b.org> Cc: oss-security@...ts.openwall.com, security@...tstack.com Subject: Re: [saltstack-security] CVE Request / Saltstack SSL verification disabling for alibabab cloud module CVE was assigned off list: CVE-2015-4017 -- Certificates are not verified when connecting to server in the Aliyun and Proxmox modules And fixed in the just-released 2014.7.6: https://groups.google.com/forum/#!topic/salt-users/8Kv1bytGD6c The splunk module vulnerability was not in a released version of salt, so there is no CVE for that module. It was fixed before the 2015.5.0 release. Please note that we have a responsible disclosure policy, and would appreciate it if it were followed in the future: http://docs.saltstack.com/en/latest/security/index.html#disclosure -- Colton Myers Platform Engineer, SaltStack @basepi on Twitter/Github/IRC On Fri, May 1, 2015 at 8:10 PM, Michael Scherer <misc@...b.org> wrote: > Hi, > > Could a CVE be assigned for this problem : > > Saltstack do not verify certificate when connecting to Aliyun (Alibaba > cloud service) > API on HTTPS > > https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/aliyun.py#L724 > > > The same issue exist for the proxmox module : > > https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/proxmox.py#L115 > > And splunk: > > https://github.com/saltstack/salt/blob/develop/salt/modules/splunk_search.py#L168 > > > This was found by running bandit on the source code > ( https://wiki.openstack.org/wiki/Security/Projects/Bandit ) > -- > Michael Scherer >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ