Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 18 May 2011 21:28:17 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple libraries privilege checking

On Wed, May 18, 2011 at 06:53:23PM +0200, yersinia wrote:
> It happens that I am, with another name, an rpm5/popt comantainer . I am very
> interested to integrate these patches, being also a   security
> professional. Very

<offtopic>
We have many more rpm patches here:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/rpm/
These are against rpm-4.2 and most of them are non-security, but they
were required to make rpm usable for us.  For example, when a package is
rebuilt with some changes but without Epoch/Version/Release change, and
the old build contains some files that are not in the new build, and the
package is upgraded on a system (such as with "-U --force"), the
original rpm would leave orphaned files around on the system (security
relevance: even SUID/SGID program binaries).  Ours removes those files.
You could want to take a look at our patches and see if any are still
relevant to rpm5.
</offtopic>

> useful to follow this mailing list, but I am not part of a distro, at least
> for now, and I can no longer follow it in the future due to the  recent
> policy change. Thanks anyway.

Huh?  There's no policy change.  Are you possibly misinterpreting the
"Closed list" thread as applying to the oss-security list?  It does not.
The closed list is an alternative to the old vendor-sec and to the CC
lists that started to appear in the month without vendor-sec.  It is not
an alternative to oss-security.  In fact, with the new closed list being
more limited than the old vendor-sec was, I expect more topics to be
discussed on oss-security than there were when vendor-sec was around.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.