outstanding nodejs advisories with no CVE

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

outstanding nodejs advisories with no CVE

Kurt Seifried
Mitre: do you want me to take this as a PoC for the DWF, or can I ask for these on oss-security@?

Overview: The inert directory handler always allows files in hidden directories to be served, even when <code>showHidden</code> is false.

Overview: It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]

Overview: Marked 0.3.3 and earlier is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed.

Overview: paypal-ipn uses the <code>test_ipn</code> parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

Overview: The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Overview: Certain input when passed into remarkable will bypass the bad prototcol check that disallows the javascript: scheme allowing for javascript: url&#39;s to be injected into the rendered content.

Overview: semver is vulnerable to regular expression denial of service (<a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">ReDoS</a>) when extremely long version strings are parsed.

Overview: When using serve-index middleware version &lt; 1.6.3 file and directory names are not escaped in HTML output. If remote users can influence file or directory names, this can trigger a persistent XSS attack.


Overview: <a href="https://github.com/mishoo/UglifyJS2/issues/751">Tom MacWright</a> discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was <a href="https://zyan.scripts.mit.edu/blog/backdooring-js/">demonstrated</a> by <a href="https://twitter.com/bcrypt">Yan</a> to allow potentially malicious code to be hidden within secure code, activated by minification.

Overview: The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). Several ways to bypass the filter were discovered. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package.

Overview: The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). A method of

Overview: Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. [1]

Overview: ms is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.

Overview: uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Overview: Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

Overview: When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user.

Overview: secure-compare 3.0.0 and below do not actually compare two strings properly. 

Overview: ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

Overview: jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

Overview: jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.

Overview: moment is vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time.

Overview: The send module &lt; 0.11.1 discloses the root path.

Overview: The <code>tar</code> module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.

Overview: Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.

Overview: Not using quotes around your attributes in handlebar templates, could lead to content injection.

Overview: Not using quotes around your attributes in mustache templates, could lead to content injection.

Overview: Certain input passed into the If-Modified-Since or Last-Modified headers will cause an &#39;illegal access&#39; exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

Overview: Certain input strings when passed to new Date() or Date.parse() will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic  when this input is passed into the server via the If-Modified-Since header.

Overview: When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins <code>*</code>).

Overview: Keys of objects are not escaped with <code>mysql.escape()</code> which could lead to SQL Injection.

Overview: UPDATE Jan 6, 2016

Overview: A security issue was found in bittorrent-dht that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.

Overview: The dns-sync library for node.js allows resolving hostnames in a synchronous fashion

Overview: Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

Overview: Specifically crafted MQTT packets can crash the application, making a DoS attack feasible with very little bandwidth. 

Overview: It is possible to block the event loop when specially crafted user input is allowed into a validator using the <code>utc-millisec</code> format.

Overview: Specifically crafted long headers or uris can cause a minor denial of service when using hawk versions less than 4.1.1.

Overview: A REST API endpoint that is used for development was not disabled in production environments. This endpoint would allow filling up storage on the server creating a possible denial of service condition and enable XSS attacks via content injection.

Overview: When attempting to allow "try" mode in <a href="https://www.npmjs.com/package/hapi">hapi</a> hapi-auth-jwt2 5.1.1 introduced an issue whereby people could bypass authentication.

Overview: A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. 

Overview: The riot-compiler version version 2.3.21 "has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions"

Overview: restafary is able to set up a root path, which should only allow it to run inside of that root path it specified. An attacker is able to provide a specifically crafted path to access files outside of this specified root path.

Overview: Droppy versions &lt;=3.4.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.

Overview: The airbrake module defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.

Overview: Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as <code>../</code> to read files outside of the served directory.

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: outstanding nodejs advisories with no CVE

Common Vulnerabilities & Exposures

Kurt –

 

We replied directly to your email earlier, but to repeat for the benefit of the other Board members:

The CVE team is working on issues relating to scope and responsibility for CVE/DWF ID issuing, and would welcome a discussion with you on the subject. Although the CVE Editorial Board is discussing the issue, specific questions like these are best addressed to [hidden email], where you can engage directly with our analysts.


Regards,

 

The CVE Team

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Thursday, April 14, 2016 8:18 PM
To: cve-editorial-board-list <[hidden email]>
Subject: outstanding nodejs advisories with no CVE

 

Mitre: do you want me to take this as a PoC for the DWF, or can I ask for these on oss-security@?

 

Overview: The inert directory handler always allows files in hidden directories to be served, even when <code>showHidden</code> is false.

 

Overview: It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]

 

Overview: Marked 0.3.3 and earlier is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed.

 

Overview: paypal-ipn uses the <code>test_ipn</code> parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

 

Overview: The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

 

Overview: Certain input when passed into remarkable will bypass the bad prototcol check that disallows the javascript: scheme allowing for javascript: url&#39;s to be injected into the rendered content.

 

Overview: semver is vulnerable to regular expression denial of service (<a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">ReDoS</a>) when extremely long version strings are parsed.

 

Overview: When using serve-index middleware version &lt; 1.6.3 file and directory names are not escaped in HTML output. If remote users can influence file or directory names, this can trigger a persistent XSS attack.

 

 

Overview: <a href="https://github.com/mishoo/UglifyJS2/issues/751">Tom MacWright</a> discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was <a href="https://zyan.scripts.mit.edu/blog/backdooring-js/">demonstrated</a> by <a href="https://twitter.com/bcrypt">Yan</a> to allow potentially malicious code to be hidden within secure code, activated by minification.

 

Overview: The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). Several ways to bypass the filter were discovered. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package.

 

Overview: The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). A method of

 

Overview: Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. [1]

 

Overview: ms is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.

 

Overview: uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

 

Overview: Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

 

Overview: When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user.

 

Overview: secure-compare 3.0.0 and below do not actually compare two strings properly. 

 

Overview: ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

 

Overview: jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

 

Overview: jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.

 

Overview: moment is vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time.

 

Overview: The send module &lt; 0.11.1 discloses the root path.

 

Overview: The <code>tar</code> module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.

 

Overview: Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.

 

Overview: Not using quotes around your attributes in handlebar templates, could lead to content injection.

 

Overview: Not using quotes around your attributes in mustache templates, could lead to content injection.

 

Overview: Certain input passed into the If-Modified-Since or Last-Modified headers will cause an &#39;illegal access&#39; exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

 

Overview: Certain input strings when passed to new Date() or Date.parse() will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic  when this input is passed into the server via the If-Modified-Since header.

 

Overview: When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins <code>*</code>).

 

Overview: Keys of objects are not escaped with <code>mysql.escape()</code> which could lead to SQL Injection.

 

Overview: UPDATE Jan 6, 2016

 

Overview: A security issue was found in bittorrent-dht that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.

 

Overview: The dns-sync library for node.js allows resolving hostnames in a synchronous fashion

 

Overview: Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

 

Overview: Specifically crafted MQTT packets can crash the application, making a DoS attack feasible with very little bandwidth. 

 

Overview: It is possible to block the event loop when specially crafted user input is allowed into a validator using the <code>utc-millisec</code> format.

 

Overview: Specifically crafted long headers or uris can cause a minor denial of service when using hawk versions less than 4.1.1.

 

Overview: A REST API endpoint that is used for development was not disabled in production environments. This endpoint would allow filling up storage on the server creating a possible denial of service condition and enable XSS attacks via content injection.

 

Overview: When attempting to allow "try" mode in <a href="https://www.npmjs.com/package/hapi">hapi</a> hapi-auth-jwt2 5.1.1 introduced an issue whereby people could bypass authentication.

 

Overview: A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. 

 

Overview: The riot-compiler version version 2.3.21 "has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions"

 

Overview: restafary is able to set up a root path, which should only allow it to run inside of that root path it specified. An attacker is able to provide a specifically crafted path to access files outside of this specified root path.

 

Overview: Droppy versions &lt;=3.4.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.

 

Overview: The airbrake module defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.

 

Overview: Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as <code>../</code> to read files outside of the served directory.

 

 

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: outstanding nodejs advisories with no CVE

Kurt Seifried
Sorry been fighting my kids flu for the last few days. The intent of posting this was more "how should we handle it" then "CVE these all now". Hence the

"Mitre: do you want me to take this as a PoC for the DWF, or can I ask for these on oss-security@?"

I wasn't actually asking for CVEs for the issues right now as your email to oss-security@ seems to indicate:

"The CVE Assignment Team received a request (on an unexpected mailing
list) for CVE IDs for several Node.js packages. Because everything was
open source and post-disclosure, we are sending IDs here instead."



On Fri, Apr 15, 2016 at 10:06 AM, Common Vulnerabilities & Exposures <[hidden email]> wrote:

Kurt –

 

We replied directly to your email earlier, but to repeat for the benefit of the other Board members:

The CVE team is working on issues relating to scope and responsibility for CVE/DWF ID issuing, and would welcome a discussion with you on the subject. Although the CVE Editorial Board is discussing the issue, specific questions like these are best addressed to [hidden email], where you can engage directly with our analysts.


Regards,

 

The CVE Team

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Thursday, April 14, 2016 8:18 PM
To: cve-editorial-board-list <[hidden email]>
Subject: outstanding nodejs advisories with no CVE

 

Mitre: do you want me to take this as a PoC for the DWF, or can I ask for these on oss-security@?

 

Overview: The inert directory handler always allows files in hidden directories to be served, even when <code>showHidden</code> is false.

 

Overview: It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]

 

Overview: Marked 0.3.3 and earlier is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed.

 

Overview: paypal-ipn uses the <code>test_ipn</code> parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

 

Overview: The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

 

Overview: Certain input when passed into remarkable will bypass the bad prototcol check that disallows the javascript: scheme allowing for javascript: url&#39;s to be injected into the rendered content.

 

Overview: semver is vulnerable to regular expression denial of service (<a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">ReDoS</a>) when extremely long version strings are parsed.

 

Overview: When using serve-index middleware version &lt; 1.6.3 file and directory names are not escaped in HTML output. If remote users can influence file or directory names, this can trigger a persistent XSS attack.

 

 

Overview: <a href="https://github.com/mishoo/UglifyJS2/issues/751">Tom MacWright</a> discovered that UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was <a href="https://zyan.scripts.mit.edu/blog/backdooring-js/">demonstrated</a> by <a href="https://twitter.com/bcrypt">Yan</a> to allow potentially malicious code to be hidden within secure code, activated by minification.

 

Overview: The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). Several ways to bypass the filter were discovered. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package.

 

Overview: The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). A method of

 

Overview: Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. [1]

 

Overview: ms is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.

 

Overview: uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

 

Overview: Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

 

Overview: When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user.

 

Overview: secure-compare 3.0.0 and below do not actually compare two strings properly. 

 

Overview: ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

 

Overview: jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

 

Overview: jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.

 

Overview: moment is vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period of time.

 

Overview: The send module &lt; 0.11.1 discloses the root path.

 

Overview: The <code>tar</code> module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.

 

Overview: Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.

 

Overview: Not using quotes around your attributes in handlebar templates, could lead to content injection.

 

Overview: Not using quotes around your attributes in mustache templates, could lead to content injection.

 

Overview: Certain input passed into the If-Modified-Since or Last-Modified headers will cause an &#39;illegal access&#39; exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

 

Overview: Certain input strings when passed to new Date() or Date.parse() will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic  when this input is passed into the server via the If-Modified-Since header.

 

Overview: When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins <code>*</code>).

 

Overview: Keys of objects are not escaped with <code>mysql.escape()</code> which could lead to SQL Injection.

 

Overview: UPDATE Jan 6, 2016

 

Overview: A security issue was found in bittorrent-dht that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.

 

Overview: The dns-sync library for node.js allows resolving hostnames in a synchronous fashion

 

Overview: Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

 

Overview: Specifically crafted MQTT packets can crash the application, making a DoS attack feasible with very little bandwidth. 

 

Overview: It is possible to block the event loop when specially crafted user input is allowed into a validator using the <code>utc-millisec</code> format.

 

Overview: Specifically crafted long headers or uris can cause a minor denial of service when using hawk versions less than 4.1.1.

 

Overview: A REST API endpoint that is used for development was not disabled in production environments. This endpoint would allow filling up storage on the server creating a possible denial of service condition and enable XSS attacks via content injection.

 

Overview: When attempting to allow "try" mode in <a href="https://www.npmjs.com/package/hapi">hapi</a> hapi-auth-jwt2 5.1.1 introduced an issue whereby people could bypass authentication.

 

Overview: A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. 

 

Overview: The riot-compiler version version 2.3.21 "has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions"

 

Overview: restafary is able to set up a root path, which should only allow it to run inside of that root path it specified. An attacker is able to provide a specifically crafted path to access files outside of this specified root path.

 

Overview: Droppy versions &lt;=3.4.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.

 

Overview: The airbrake module defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.

 

Overview: Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as <code>../</code> to read files outside of the served directory.

 

 

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]




--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]