oss-sec mailing list archives
Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation
From: cve-assign () mitre org
Date: Thu, 5 Jun 2014 09:15:02 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
3. The CVE IDs in 1 and 2 can't be the same.
?
There are different default-password problems that seem to have been fixed at substantially different times, and this would often require separate CVEs. The issue reported in http://openwall.com/lists/oss-security/2014/05/29/4 apparently included a default password of mooo. Use of mooo apparently stopped after https://github.com/openshift/openshift-extras/commit/e7e53d296787e674859c1a06db93fcf9d98173b4 (September 2013). Commits such as https://github.com/openshift/openshift-extras/commit/4339020c62e43fa16f2145d46636f7dc0e26327f suggest that other default-password issues were fixed in 2014, apparently including password, marionette, mongopass, OSEnterprise, and changeme. To have one CVE for everything, you'd need a situation similar to: 1. one version released by Red Hat was based on code such as https://github.com/openshift/openshift-extras/blob/e4c285f52fa93ed4626837d0436943717f85843a/enterprise/install-scripts/generic/openshift.sh which has both the mooo issue and other default-password issues 2. the next version released by Red Hat fixed the mooo issue and the other default-password issues Is that what you mean, i.e., no release had a partial fix? (The reason this question originally came up is that the wording in https://bugzilla.redhat.com/show_bug.cgi?id=1097008 is "the optional installer also did this." You've now clarified that the reason for those MONGO_PASSWORD= lines in broker.conf is that the product was installed by this optional installer. However, a need for multiple CVEs is still possible, as reflected in the question above.) Finally, are any of the CVEs duplicates of CVE-2013-4253 or CVE-2013-4281? Those two CVE IDs are mentioned at https://github.com/openshift/openshift-extras/blob/master/README.md but the only attempted documentation seems to be links to nonexistent access.redhat.com URLs, and the two CVE IDs don't seem to be in Aliases fields in Red Hat Bugzilla. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTkGz+AAoJEKllVAevmvmszuAH/j7ejpzpMred2iS3F0tmZr91 PY8QprPfBkB8FR7IN0JezZu8hDuuSfnhu7TSWEvyED2y4J276M1DtCWH7n2G9sNG qEEM2A4jJl2hMGnPSVg23gGxS+X4DwpKV2JjK9DfXXkCqHyUeoPNLPTzZE2o08hq de/RA/7HwVoIhznqIG0HWgdkLJ1jLJKWb95vZvKlQeP8DqSyq4pvkR/tqOKMVDDS 2eP1oqDM6wqgd3Y36WY6pe34m31CXo0wjg6Tkepeh9lfo03B8OGIJ+HKMSQb/ZfQ YBYLY1TQ/C8mBmfkqe+GVLVywNZLWDYO6SnQh9VXSEMn87gO3O63aEnJtkrQVyE= =u262 -----END PGP SIGNATURE-----
Current thread:
- CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation Kurt Seifried (May 27)
- Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation cve-assign (May 28)
- Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation cve-assign (Jun 03)
- Re: Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation Kurt Seifried (Jun 04)
- Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation cve-assign (Jun 05)
- Re: Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation Kurt Seifried (Jun 04)
- Re: Re: CVE-2014-0234 Installer: OpenShift Enterprise: openshift.sh default password creation Kurt Seifried (Jun 04)