Date: Thu, 5 Jun 2014 09:15:02 -0400 (EDT) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> 3. The CVE IDs in 1 and 2 can't be the same. > ? There are different default-password problems that seem to have been fixed at substantially different times, and this would often require separate CVEs. The issue reported in http://openwall.com/lists/oss-security/2014/05/29/4 apparently included a default password of mooo. Use of mooo apparently stopped after https://github.com/openshift/openshift-extras/commit/e7e53d296787e674859c1a06db93fcf9d98173b4 (September 2013). Commits such as https://github.com/openshift/openshift-extras/commit/4339020c62e43fa16f2145d46636f7dc0e26327f suggest that other default-password issues were fixed in 2014, apparently including password, marionette, mongopass, OSEnterprise, and changeme. To have one CVE for everything, you'd need a situation similar to: 1. one version released by Red Hat was based on code such as https://github.com/openshift/openshift-extras/blob/e4c285f52fa93ed4626837d0436943717f85843a/enterprise/install-scripts/generic/openshift.sh which has both the mooo issue and other default-password issues 2. the next version released by Red Hat fixed the mooo issue and the other default-password issues Is that what you mean, i.e., no release had a partial fix? (The reason this question originally came up is that the wording in https://bugzilla.redhat.com/show_bug.cgi?id=1097008 is "the optional installer also did this." You've now clarified that the reason for those MONGO_PASSWORD= lines in broker.conf is that the product was installed by this optional installer. However, a need for multiple CVEs is still possible, as reflected in the question above.) Finally, are any of the CVEs duplicates of CVE-2013-4253 or CVE-2013-4281? Those two CVE IDs are mentioned at https://github.com/openshift/openshift-extras/blob/master/README.md but the only attempted documentation seems to be links to nonexistent access.redhat.com URLs, and the two CVE IDs don't seem to be in Aliases fields in Red Hat Bugzilla. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTkGz+AAoJEKllVAevmvmszuAH/j7ejpzpMred2iS3F0tmZr91 PY8QprPfBkB8FR7IN0JezZu8hDuuSfnhu7TSWEvyED2y4J276M1DtCWH7n2G9sNG qEEM2A4jJl2hMGnPSVg23gGxS+X4DwpKV2JjK9DfXXkCqHyUeoPNLPTzZE2o08hq de/RA/7HwVoIhznqIG0HWgdkLJ1jLJKWb95vZvKlQeP8DqSyq4pvkR/tqOKMVDDS 2eP1oqDM6wqgd3Y36WY6pe34m31CXo0wjg6Tkepeh9lfo03B8OGIJ+HKMSQb/ZfQ YBYLY1TQ/C8mBmfkqe+GVLVywNZLWDYO6SnQh9VXSEMn87gO3O63aEnJtkrQVyE= =u262 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.