CVE-2018-2906 and CVE-2018-2792 are from Oracle -- they publish no useful information about CVEs. We will probably never know if those CVEs are specific to Oracle's versions of the software or if they affect the FOSS version, too. We shouldn't hold those against the upstream project. I'm less sure of the Nvidia issue, that feels like it probably applies and they might even be helpful if asked.
ipmitool is useful and almost necessary, so I can understand the desire. But it also feels like it's been neglected so long, and assumed to only ever be used on a restricted management network from a single bastion host that straddles the management network and the general purpose network -- but I'm not sure that assumption actually holds today. But if a team doesn't follow best practices, is that on us or on them? I'd be more amenable to including ipmitool if we had apparmor profiles in place -- not necessarily hyper-specific profiles but at least broad strokes to limit and mitigate exploitation in case a user interacts with a malicious server. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1978144 Title: [MIR] ipmitool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ipmitool/+bug/1978144/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
