Re: [saltstack-security] CVE Request / Saltstack SSL verification disabling for alibabab cloud module

[Colton Myers <colton () saltstack com>]

CVE was assigned off list:

CVE-2015-4017 -- Certificates are not verified when connecting to server in
the Aliyun and Proxmox modules

And fixed in the just-released 2014.7.6:

https://groups.google.com/forum/#!topic/salt-users/8Kv1bytGD6c

The splunk module vulnerability was not in a released version of salt, so
there is no CVE for that module. It was fixed before the 2015.5.0 release.

Please note that we have a responsible disclosure policy, and would
appreciate it if it were followed in the future:

http://docs.saltstack.com/en/latest/security/index.html#disclosure

--
Colton Myers
Platform Engineer, SaltStack
@basepi on Twitter/Github/IRC

On Fri, May 1, 2015 at 8:10 PM, Michael Scherer <misc () zarb org> wrote:

> Hi,
>
> Could a CVE be assigned for this problem :
>
> Saltstack do not verify certificate when connecting to Aliyun (Alibaba
> cloud service)
> API on HTTPS
>
> https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/aliyun.py#L724
>
>
> The same issue exist for the proxmox module :
>
> https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/proxmox.py#L115
>
> And splunk:
>
> https://github.com/saltstack/salt/blob/develop/salt/modules/splunk_search.py#L168
>
>
> This was found by running bandit on the source code
> ( https://wiki.openstack.org/wiki/Security/Projects/Bandit )
> --
> Michael Scherer