Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 18 May 2015 17:01:06 -0600
From: Colton Myers <>
To: Michael Scherer <>
Subject: Re: [saltstack-security] CVE Request / Saltstack SSL verification
 disabling for alibabab cloud module

CVE was assigned off list:

CVE-2015-4017 -- Certificates are not verified when connecting to server in
the Aliyun and Proxmox modules

And fixed in the just-released 2014.7.6:!topic/salt-users/8Kv1bytGD6c

The splunk module vulnerability was not in a released version of salt, so
there is no CVE for that module. It was fixed before the 2015.5.0 release.

Please note that we have a responsible disclosure policy, and would
appreciate it if it were followed in the future:

Colton Myers
Platform Engineer, SaltStack
@basepi on Twitter/Github/IRC

On Fri, May 1, 2015 at 8:10 PM, Michael Scherer <> wrote:

> Hi,
> Could a CVE be assigned for this problem :
> Saltstack do not verify certificate when connecting to Aliyun (Alibaba
> cloud service)
> The same issue exist for the proxmox module :
> And splunk:
> This was found by running bandit on the source code
> ( )
> --
> Michael Scherer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ