Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 5 Jun 2014 09:15:02 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> 3. The CVE IDs in 1 and 2 can't be the same.

> ?

There are different default-password problems that seem to have been
fixed at substantially different times, and this would often require
separate CVEs.

The issue reported in
http://openwall.com/lists/oss-security/2014/05/29/4 apparently
included a default password of mooo. Use of mooo apparently stopped
after
https://github.com/openshift/openshift-extras/commit/e7e53d296787e674859c1a06db93fcf9d98173b4
(September 2013).

Commits such as
https://github.com/openshift/openshift-extras/commit/4339020c62e43fa16f2145d46636f7dc0e26327f
suggest that other default-password issues were fixed in 2014,
apparently including password, marionette, mongopass, OSEnterprise,
and changeme.

To have one CVE for everything, you'd need a situation similar to:

   1. one version released by Red Hat was based on code such as
      https://github.com/openshift/openshift-extras/blob/e4c285f52fa93ed4626837d0436943717f85843a/enterprise/install-scripts/generic/openshift.sh
      which has both the mooo issue and other default-password issues

   2. the next version released by Red Hat fixed the mooo issue and
      the other default-password issues

Is that what you mean, i.e., no release had a partial fix?

(The reason this question originally came up is that the wording in
https://bugzilla.redhat.com/show_bug.cgi?id=1097008 is "the optional
installer also did this." You've now clarified that the reason for
those MONGO_PASSWORD= lines in broker.conf is that the product was
installed by this optional installer. However, a need for multiple
CVEs is still possible, as reflected in the question above.)

Finally, are any of the CVEs duplicates of CVE-2013-4253 or
CVE-2013-4281? Those two CVE IDs are mentioned at
https://github.com/openshift/openshift-extras/blob/master/README.md
but the only attempted documentation seems to be links to nonexistent
access.redhat.com URLs, and the two CVE IDs don't seem to be in
Aliases fields in Red Hat Bugzilla.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTkGz+AAoJEKllVAevmvmszuAH/j7ejpzpMred2iS3F0tmZr91
PY8QprPfBkB8FR7IN0JezZu8hDuuSfnhu7TSWEvyED2y4J276M1DtCWH7n2G9sNG
qEEM2A4jJl2hMGnPSVg23gGxS+X4DwpKV2JjK9DfXXkCqHyUeoPNLPTzZE2o08hq
de/RA/7HwVoIhznqIG0HWgdkLJ1jLJKWb95vZvKlQeP8DqSyq4pvkR/tqOKMVDDS
2eP1oqDM6wqgd3Y36WY6pe34m31CXo0wjg6Tkepeh9lfo03B8OGIJ+HKMSQb/ZfQ
YBYLY1TQ/C8mBmfkqe+GVLVywNZLWDYO6SnQh9VXSEMn87gO3O63aEnJtkrQVyE=
=u262
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.