Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Jul 2014 10:49:02 -0400 (EDT)
From: cve-assign@...re.org
To: fweimer@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, misc@...b.org
Subject: Re: Ansible CVE requests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It turns out that the fix was incomplete.

> I think this warrants a separate CVE ID.

Use CVE-2014-4678 for the
https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916
fix that was announced in the 2014-06-25 ansible-announce "Ansible
1.6.4 update - security release" message at
https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ

(CVE-2014-4678 exists because of an incomplete fix for CVE-2014-4657.)

Additional CVE IDs (at least two) will be assigned for:

A. The 2014-06-25 ansible-announce "Ansible 1.6.5 - updated security
fix" message at
https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ

B. The 2014-07-01 ansible-announce "Ansible 1.6.6 - refinements to
previous security fixes" message at
https://groups.google.com/forum/message/raw?msg=ansible-announce/WKL7BY3qddo/JkJiNrZzy3AJ

(At least for item B, there may have been distinct problems reported
by distinct discoverers, and per-discoverer CVE assignments may be
best if that information is available. It seems likely that that
information won't be available at the time when the CVEs are needed --
and probably individual independent researchers won't be publishing
separate advisories about subsets of the safe_eval problem -- so one
CVE ID for A and one CVE ID for B is a realistic outcome.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTtBt6AAoJEKllVAevmvmsSLgIAKiP7W7Zu3c0u52+cim/ZY0c
q6tjLtdGtkIGt6o1Y5MzLmmSXBSxKeTIiADRj4apRD8iUGLMz8KidsuWb+AgKvZC
g+yxAqPwiGdyLshLKyegaUwDSZE2qdvYxDB2evTd8NPXyWpauyx4xBSgsFtuIehc
aijeIQtcPok6sm4oPBFzymBGjb1PlufTOfAzciUQBs96IFnD3BsTEejCo6lBwM1X
u8FOkMC4sIp98riL1r2eJhJ1ayX7/eFX2cW58VnQTCjL9SWcNE8WPWwcJJ+d5kpE
zhUQM4jsJ+9uape9wYNcncyrnEYfC9KwVr2cdjzEGmtFG2t556cpx5TBbhBbo00=
=OI7a
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.