Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jun 2014 14:18:02 -0400 (EDT)
Subject: Re: Ansible CVE requests

Hash: SHA1



> just in case, seems that it is this patch for "Security fix for safe_eval" :

> and for Security fix for vault :

> and for apt :

(Note that 603205 isn't a complete list of the upstream Ansible
vulnerabilities because Mageia is shipping a 1.4.x version and
therefore wasn't interested in

We think 998793fd0ab55705d57527a38cee5e83f535974c is about fixing one
type of issue, but feel free to identify any additional types of
issues that are also fixed. Use CVE-2014-4657 for the general topic of
"the product intentionally allows code execution of code with limited
capabilities, but the code restrictions are insufficient."
suggests that this was fixed in 1.5.4.

a0e027fe362fbc209dbeff2f72d6e95f39885c69 seems to be a
straightforward case of "the product creates files that normally
contain secret values, but does not ensure appropriate permissions."
Use CVE-2014-4658.
suggests that this was fixed in 1.5.5.

c4b5e46054c74176b2446c82d4df1a2610eddc08 is about multiple types of
suggests that these were fixed in 1.5.5. One issue is doing an
unconditional "chmod 0644" on a file that may have required stronger
permissions for a site-specific reason. Use CVE-2014-4659.

Also, the changes related to _strip_username_password apparently mean
that the product might encounter an /etc/apt/sources.list line
starting with:

  deb http://user:pass@...ver:port/

and would then construct a filename containing the user and pass
fields, leaking credentials in a way that potentially crosses
privilege boundaries. Use CVE-2014-4660.

Does anyone want a CVE ID for this third potential
c4b5e46054c74176b2446c82d4df1a2610eddc08 issue?

The changes related to check_mode apparently mean that wasn't
properly implemented, and an administrator might unintentionally
perform dangerous actions. CVE assignments for this type of problem
seem uncommon, although that might be because the class of issues is
underreported. (The bug here seems to be a case of "doesn't even
notice whether check_mode is active" rather than "notices that
check_mode is active but proceeds unsafely." See also the
blog post.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.