Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 18 May 2011 21:28:17 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple libraries privilege checking

On Wed, May 18, 2011 at 06:53:23PM +0200, yersinia wrote:
> It happens that I am, with another name, an rpm5/popt comantainer . I am very
> interested to integrate these patches, being also a   security
> professional. Very

<offtopic>
We have many more rpm patches here:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/rpm/
These are against rpm-4.2 and most of them are non-security, but they
were required to make rpm usable for us.  For example, when a package is
rebuilt with some changes but without Epoch/Version/Release change, and
the old build contains some files that are not in the new build, and the
package is upgraded on a system (such as with "-U --force"), the
original rpm would leave orphaned files around on the system (security
relevance: even SUID/SGID program binaries).  Ours removes those files.
You could want to take a look at our patches and see if any are still
relevant to rpm5.
</offtopic>

> useful to follow this mailing list, but I am not part of a distro, at least
> for now, and I can no longer follow it in the future due to the  recent
> policy change. Thanks anyway.

Huh?  There's no policy change.  Are you possibly misinterpreting the
"Closed list" thread as applying to the oss-security list?  It does not.
The closed list is an alternative to the old vendor-sec and to the CC
lists that started to appear in the month without vendor-sec.  It is not
an alternative to oss-security.  In fact, with the new closed list being
more limited than the old vendor-sec was, I expect more topics to be
discussed on oss-security than there were when vendor-sec was around.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ