Date: Mon, 8 Jul 2019 16:59:35 +0530 (IST) From: P J P <ppandit@...hat.com> To: oss security list <oss-security@...ts.openwall.com> cc: Fabiano Fidencio <ffidenci@...hat.com> Subject: CVE-2019-13313, CVE-2019-13314: password disclosure via command line arguments Hello, CVE-2019-13313 Libosinfo: osinfo-install-script option leaks password via command line argument. 'osinfo-install-script' is used to generate a script for automated guest installations. It accepts user and admin passwords via command line arguments, thus leaking them via process listing. CVE-2019-13314 virt-bootstrap: allows local users to discover root password via process listing virt-bootstrap 1.1.0 allows local users to discover a root password via process listing, because it's passed as command line parameter via --root-password option. These issues were reported by Fabiano Fidêncio of Red Hat Inc. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.