oss-sec mailing list archives

Re: Ansible CVE requests

From: Florian Weimer <fweimer () redhat com>
Date: Wed, 02 Jul 2014 17:08:56 +0200

On 07/02/2014 04:49 PM, cve-assign () mitre org wrote:

It turns out that the fix was incomplete.

I think this warrants a separate CVE ID.


Use CVE-2014-4678 for the
https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916
fix that was announced in the 2014-06-25 ansible-announce "Ansible
1.6.4 update - security release" message at
https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ


Thanks.

Additional CVE IDs (at least two) will be assigned for:

A. The 2014-06-25 ansible-announce "Ansible 1.6.5 - updated security
fix" message at
https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ

I think the change in 1.6.5 was an attempt to fix a functionalityregression, not something that actually added restrictions to thesandbox. I am aware that this assessment is at odds with what upstreamhas stated, so you might want to assign a CVE nevertheless.


--
Florian Weimer / Red Hat Product Security

Current thread:

Re: Ansible CVE requests cve-assign (Jul 02)
- Re: Ansible CVE requests Florian Weimer (Jul 02)
  - Re: Re: Ansible CVE requests Brian Harring (Jul 02)