[Bug 1978144] Re: [MIR] ipmitool
Seth Arnold
1978144 at bugs.launchpad.net
Mon Dec 8 20:24:41 UTC 2025
CVE-2018-2906 and CVE-2018-2792 are from Oracle -- they publish no
useful information about CVEs. We will probably never know if those CVEs
are specific to Oracle's versions of the software or if they affect the
FOSS version, too. We shouldn't hold those against the upstream project.
I'm less sure of the Nvidia issue, that feels like it probably applies
and they might even be helpful if asked.
ipmitool is useful and almost necessary, so I can understand the desire.
But it also feels like it's been neglected so long, and assumed to only
ever be used on a restricted management network from a single bastion
host that straddles the management network and the general purpose
network -- but I'm not sure that assumption actually holds today. But if
a team doesn't follow best practices, is that on us or on them?
I'd be more amenable to including ipmitool if we had apparmor profiles
in place -- not necessarily hyper-specific profiles but at least broad
strokes to limit and mitigate exploitation in case a user interacts with
a malicious server.
--
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1978144
Title:
[MIR] ipmitool
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ipmitool/+bug/1978144/+subscriptions
More information about the ubuntu-archive
mailing list