|
Message-Id: <201407021449.s62En2KN028569@linus.mitre.org> Date: Wed, 2 Jul 2014 10:49:02 -0400 (EDT) From: cve-assign@...re.org To: fweimer@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, misc@...b.org Subject: Re: Ansible CVE requests -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It turns out that the fix was incomplete. > I think this warrants a separate CVE ID. Use CVE-2014-4678 for the https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916 fix that was announced in the 2014-06-25 ansible-announce "Ansible 1.6.4 update - security release" message at https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ (CVE-2014-4678 exists because of an incomplete fix for CVE-2014-4657.) Additional CVE IDs (at least two) will be assigned for: A. The 2014-06-25 ansible-announce "Ansible 1.6.5 - updated security fix" message at https://groups.google.com/forum/message/raw?msg=ansible-announce/A1px5egCnGQ/jH6f5HM7kpkJ B. The 2014-07-01 ansible-announce "Ansible 1.6.6 - refinements to previous security fixes" message at https://groups.google.com/forum/message/raw?msg=ansible-announce/WKL7BY3qddo/JkJiNrZzy3AJ (At least for item B, there may have been distinct problems reported by distinct discoverers, and per-discoverer CVE assignments may be best if that information is available. It seems likely that that information won't be available at the time when the CVEs are needed -- and probably individual independent researchers won't be publishing separate advisories about subsets of the safe_eval problem -- so one CVE ID for A and one CVE ID for B is a realistic outcome.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTtBt6AAoJEKllVAevmvmsSLgIAKiP7W7Zu3c0u52+cim/ZY0c q6tjLtdGtkIGt6o1Y5MzLmmSXBSxKeTIiADRj4apRD8iUGLMz8KidsuWb+AgKvZC g+yxAqPwiGdyLshLKyegaUwDSZE2qdvYxDB2evTd8NPXyWpauyx4xBSgsFtuIehc aijeIQtcPok6sm4oPBFzymBGjb1PlufTOfAzciUQBs96IFnD3BsTEejCo6lBwM1X u8FOkMC4sIp98riL1r2eJhJ1ayX7/eFX2cW58VnQTCjL9SWcNE8WPWwcJJ+d5kpE zhUQM4jsJ+9uape9wYNcncyrnEYfC9KwVr2cdjzEGmtFG2t556cpx5TBbhBbo00= =OI7a -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.