Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 5 Jun 2014 09:15:02 -0400 (EDT)
Subject: Re: CVE-2014-0234 Installer: OpenShift Enterprise: default password creation

Hash: SHA1

>> 3. The CVE IDs in 1 and 2 can't be the same.

> ?

There are different default-password problems that seem to have been
fixed at substantially different times, and this would often require
separate CVEs.

The issue reported in apparently
included a default password of mooo. Use of mooo apparently stopped
(September 2013).

Commits such as
suggest that other default-password issues were fixed in 2014,
apparently including password, marionette, mongopass, OSEnterprise,
and changeme.

To have one CVE for everything, you'd need a situation similar to:

   1. one version released by Red Hat was based on code such as
      which has both the mooo issue and other default-password issues

   2. the next version released by Red Hat fixed the mooo issue and
      the other default-password issues

Is that what you mean, i.e., no release had a partial fix?

(The reason this question originally came up is that the wording in is "the optional
installer also did this." You've now clarified that the reason for
those MONGO_PASSWORD= lines in broker.conf is that the product was
installed by this optional installer. However, a need for multiple
CVEs is still possible, as reflected in the question above.)

Finally, are any of the CVEs duplicates of CVE-2013-4253 or
CVE-2013-4281? Those two CVE IDs are mentioned at
but the only attempted documentation seems to be links to nonexistent URLs, and the two CVE IDs don't seem to be in
Aliases fields in Red Hat Bugzilla.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.