Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 20 Jul 2014 03:03:00 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE's for intersection vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19/07/14 10:09 AM, Dolev Farhi wrote:
> On Sat, 19 Jul 2014 14:32:50 +0300, intrigeri <intrigeri@...m.org>
> wrote:
> 
>> Hi,
>> 
>> Kurt Seifried wrote (19 Jul 2014 00:33:38 GMT) :
>>> So long story short: we have a program called sosreport that is
>>> used to send system information back to Red Hat so we can help
>>> customers troubleshoot their problems. It would appear we have
>>> three main classes of (potential) security vulnerabilities:
>> 
>> The severity of these potential vulnerabilities may partly depend
>> on how well sosreport authenticates the server it sends
>> information to.
>> 
>> Cheers, -- intrigeri
> 
> 
> Just wanna mention that sosreport is used by many companies other
> than red hat (e.g. a company may ask for an sosreport from their
> customers), i know that we use it to get environment data from
> customers.

Well... fiddlesticks.

That is outside of my responsibility, and indeed outside of what I'm
even aware of (if you use sosreport and do so in an insecure manner
please report to oss-security for uhmm.. re-education? Heck of I know
what to do/say.).

- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTy4XEAAoJEBYNRVNeJnmTQIgQAJMzCeC49n6KTjC04yKgChb6
pi2lkJZqG1gb4Ze8bNOuagdqLSEdFIS21EYIeOpeLKkQ+wXylSFumN1M0P+kBYh0
n3YVzVqHgJ8DPlhLR7pPOcx2M60HMi12PvYDsqGdHaPdrgj0kknH+9340+4dkEhj
lWEeKmzgZtMigOQIFn4cLtG1f55CfTD8odO7HdMu0mXhIUJ7DUDjCXiWVswjHjL4
tyKplqaAHOS0cForSVviUkkEWyRSY/Ylb/JFtr0sM19cUbDlelLwH8NHyuHs4/71
9EMiRQMGNLDOmov0jbjInS2A775SjtnvyUCvgvEyglHR3iWQ4YPQG627+A7HJZky
K09TNd0JhB+CufgDuIBCOytNKaPnlEA9wYWShUPB8x/0nWvsvBWB2WeK61bgo9W3
zfuH4SYXOL0CPGt3pCKNpZ5PqoPcRSLgCLqyhsHTZAkAe0dvgY24lP8HWve9h2at
aq6UKajnXz7we2IxkjVxZfuxoIwi8SdhjBDMBr+P+sEfdGeKyI37x9iGnSoWD3zX
vRgjsYF745Kb5ruCKvhOy5VF9GsA70uX51+YiZVib0661OZAJZfaYWoypTsuyAt4
68zUr2KkIqSzl31Fx8Ak20NqHJRYsnU/j0vdxInLqpvTrodrPuPQyFPW+/U8keFG
at2j4IX/ezuZdi5yRQ4e
=9hGj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ