Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 18 Apr 2014 12:09:26 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Request for linux-distros list membership

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/18/2014 09:32 AM, rf@...eap.de wrote:
>>>>>> "Anthony" == Anthony Liguori <aliguori@...zon.com>
>>>>>> writes:
> 
> Anthony> On 04/09/14 23:25, Solar Designer wrote:
>>> On Wed, Apr 09, 2014 at 11:57:33PM -0600, Kurt Seifried wrote:
>>>> So first off I'm inclined to have Amazon on the distros list 
>>>> (same reasons as Oracle basically).
>>>> 
>>>> My only concern is are you the correct person, I have no
>>>> clue who is on the Amazon security team for their Linux
>>>> distribution, I've never seen you post anything anywhere.
>>>> 
>>>> Your search - site:aws.amazon.com Anthony Liguori - did not 
>>>> match any documents.
>>>> 
>>>> Your search - site:aws.amazon.com aliguori@...zon.com - did
>>>> not match any documents.
>>>> 
>>>> Can we somehow get confirmation from Amazon that this is the 
>>>> right person to have on distros? Thanks.
>>> 
>>> Yes, we need this sort of confirmation.  My other concerns
>>> are:
> 
> Anthony> Ping.  Apologies if this is being discussed in private
> but Anthony> I just wanted to make sure it wasn't forgotten.  I
> believe Anthony> we have provided all of the information
> requested.
> 
> Just a remark from somebody who's request for linux-distros
> membership was turned down: I think in case the AMI membership will
> be granted, you need to provide a clear explanation why Qlustar's
> wasn't. Better: Setup some clear criteria for when membership is
> possible and when not.
> 
> Roland ------- http://www.q-leap.com / http://qlustar.com
> 

Well one comment/question on your advisories:

https://qlustar.com/news/qsa-0131142-security-bundle

Package(s)       : see upstream description of individual package
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

Except you don't give any version #'s, nor do you give any CVE id's,
how is anyone supposed to figure out what got fixed?




- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTUWpWAAoJEBYNRVNeJnmTpS0P/jsy342SyO9Kdfe88PQphn2S
c0hPUbbIh1OrPn913DtLaRncUDufA9ONHpyzhi43oGuzI+ADV08eAjr9KU+23Z5X
DCaN3UVZGPkG/nXk/RvUW4mebpN1ZpXOX03Mb9TM0WeONWeZiChZkxhFUAhwJtBH
bexJSqjsUHpgSZUzzfi5bB/67SRHkxH8H05nhBiqu2w6w9fkFDBxj9wc33n7dapf
iz1vK6Ne4R/mQ+r+qloWYiUsZ0VqWtjqnkereDGYs0ER0j/ufwvrc4eJ7bJa+hH/
tV4CjPlr8lWmqJinnvpCpFDzphpwF7ltkzlsDJwi1WiYIMSFuzC+99uRJocQu7Zc
o6ga/nMuaBYhRL9P+9mOYDN5DDx85MvvGD7kMSz7xUmC8wIKQY2aDzCU/eJq0um0
DDmxrBGmDVWyiVZSrdFwWmZ4Sp8zzabZcDmgHu2BkJElfebX+wmNyGeHGLMXlvRR
cXcEV1nL0E5hspkMmTNywBpij+HLTv7bi/FMecUAXGkNn4slgHANx3lViNcRyIo8
A6KvOAfiXBrkEXaVp2bNOS999KgdyoRcR03hm0iINyHj8WP4Uc5RUljjhx8gT65h
85qhbIFCowz5psylbwXVGhWksQo+5HgFVYEDbOhAVHMk8GMSVnbOTaobRvLDLqJ2
8BUb6Ak0QWpW0zXVQa4I
=O+fO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.