Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 21 Feb 2008 08:49:52 +0000 (GMT)
From: Mark J Cox <mjc@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: code review CVS

> hahah... as Mark can attest, you're not the only one.  I've had to email
> him a few times looking for some obscure src.rpm.

We give the full path in our emailed advisories (except for the cases 
where we are shipping something not open source like java/acroread) but 
the paths are not in the web based versions.  So 
http://www.redhat.com/archives/rhsa-announce/ since Nov 2007, or for older 
stuff http://www.redhat.com/archives/enterprise-watch-list/

Once you get a rpm then unpacking it without installing it is easy:
rpm2cpio fn.rpm | cpio --make-directories --extract

And we nearly always ship the pristine upstream tarball along with each 
patch separately (exception being things like OpenSSL).

This is definately material for a 'how to find out how the vendor fixed 
this' page.

Thanks, Mark
--
Mark J Cox / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux