oss-sec mailing list archives
Re: Ansible CVE requests
From: Florian Weimer <fweimer () redhat com>
Date: Wed, 02 Jul 2014 17:08:56 +0200
On 07/02/2014 04:49 PM, cve-assign () mitre org wrote:
It turns out that the fix was incomplete.I think this warrants a separate CVE ID.Use CVE-2014-4678 for the https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916 fix that was announced in the 2014-06-25 ansible-announce "Ansible 1.6.4 update - security release" message at https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ
Thanks.
Additional CVE IDs (at least two) will be assigned for: A. The 2014-06-25 ansible-announce "Ansible 1.6.5 - updated security fix" message at https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ
I think the change in 1.6.5 was an attempt to fix a functionality regression, not something that actually added restrictions to the sandbox. I am aware that this assessment is at odds with what upstream has stated, so you might want to assign a CVE nevertheless.
-- Florian Weimer / Red Hat Product Security
Current thread:
- Re: Ansible CVE requests cve-assign (Jul 02)
- Re: Ansible CVE requests Florian Weimer (Jul 02)
- Re: Re: Ansible CVE requests Brian Harring (Jul 02)
- Re: Ansible CVE requests Florian Weimer (Jul 02)