Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1105713 - (CVE-2014-3251) CVE-2014-3251 mcollective: aes_security.rb file creation vulnerability
CVE-2014-3251 mcollective: aes_security.rb file creation vulnerability
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140715,repor...
: Security
Depends On: 1118889 1161821 1161822 1161823 1161824
Blocks: 1105714
  Show dependency treegraph
 
Reported: 2014-06-06 15:16 EDT by Kurt Seifried
Modified: 2015-06-11 17:03 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-07 23:40:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
mcollective-2.5.2-flaw-in-aes_security.patch (14.31 KB, patch)
2014-07-10 02:06 EDT, Kurt Seifried 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Kurt Seifried 2014-06-06 15:16:52 EDT 
Mark Chappell of Red Hat reports:

When configured to automatically discover and store certificates the 
aes_security plugin relies on the file name of the SSL certificate as stored 
on the client rather than any of the information in the SSL certificate when 
creating the file to store the certificate in. Due to a lack of checks in
aes_security.rb this allows arbitrary files to be created.
Comment 1 Kurt Seifried 2014-07-10 02:00:25 EDT 
A planned disclosure date, Tuesday, July 15, 2014, at 14:30 UTC has been set, please note that this may change.
Comment 2 Kurt Seifried 2014-07-10 02:06:52 EDT 
Created attachment 916998 [details]
mcollective-2.5.2-flaw-in-aes_security.patch
Comment 4 Kurt Seifried 2014-11-07 23:40:14 EST 
Statement:

Red Hat OpenShift Enterprise 2 is now in Production 1 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat OpenShift Enterprise 2 Life Cycle: https://access.redhat.com/support/policy/updates/openshift.
Comment 5 Kurt Seifried 2014-11-07 23:41:08 EST 
Created mcollective tracking bugs for this issue:

Affects: epel-5 [bug 1161821]
Comment 6 Kurt Seifried 2014-11-07 23:41:20 EST 
Created mcollective tracking bugs for this issue:

Affects: epel-6 [bug 1161822]
Comment 7 Kurt Seifried 2014-11-07 23:41:37 EST 
Created mcollective tracking bugs for this issue:

Affects: epel-7 [bug 1161823]
Comment 8 Kurt Seifried 2014-11-07 23:41:51 EST 
Created mcollective tracking bugs for this issue:

Affects: fedora-all [bug 1161824]
Comment 9 Eric Christensen 2015-06-04 16:09:09 EDT 
Is it appropriate to go ahead and close the tracking bugs on this ticket?
Comment 10 Kurt Seifried 2015-06-11 17:03:04 EDT 
It's wontfix for Red Hat, Fedora/EPEL may choose to rebase so we leave the trackers open for them.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.