oss-sec mailing list archives

CVE Request / Saltstack SSL verification disabling for alibabab cloud module

From: Michael Scherer <misc () zarb org>
Date: Sat, 2 May 2015 04:10:45 +0200

Hi,

Could a CVE be assigned for this problem :

Saltstack do not verify certificate when connecting to Aliyun (Alibaba cloud service)
API on HTTPS
https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/aliyun.py#L724


The same issue exist for the proxmox module :
https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/proxmox.py#L115

And splunk:
https://github.com/saltstack/salt/blob/develop/salt/modules/splunk_search.py#L168


This was found by running bandit on the source code
( https://wiki.openstack.org/wiki/Security/Projects/Bandit )
-- 
Michael Scherer

Current thread:

CVE Request / Saltstack SSL verification disabling for alibabab cloud module Michael Scherer (May 01)
- Re: [saltstack-security] CVE Request / Saltstack SSL verification disabling for alibabab cloud module Colton Myers (May 18)