** Description changed: - Upstream maintainer for openwsman has added in a bunch of security fixes - after our security team conducted an audit of the code. There are still - a few patches left to go, but, I would like to go ahead and include - what's already upstream into the 14.04 release: + The upstream maintainer for openwsman has added in a bunch of security + fixes after our security team conducted an audit of the code. There are + still a few patches left to go, but, I would like to go ahead and + include what's already upstream into the 14.04 release: ws_xml_make_default_prefix() can overflow buf parameter via sprintf() wsmc_create_request() potential buf[20] overflow via WSMAN_ACTION_RENEW LocalSubscriptionOpUpdate() unchecked fopen() Incorrect order of sanity guards in wsman_get_fault_status_from_doc() Unchecked memory allocation in wsman_init_plugins(), p->ifc Unchecked memory allocation in mem_double(), newptr Unchecked memory allocation in dictionary_new(), d, d->val, d->key, d->hash Unchecked memory allocation in u_error_new(), *error sighup_handler() in wsmand.c uses unsafe functions in a signal handler - - I'll be working on a patch for this and will post a debdiff soon. - - The upstream commits are here: - - https://github.com/Openwsman/openwsman/commits/638b9c8acfa6ded84c94c01e137c61c29d65d62e/src + Support SHA512 password encoding, use safe_cmp to prevent brute-force + attacks + increase password upper limit to 128 characters (from 64)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319089 Title: Add security fixes from upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openwsman/+bug/1319089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
