Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 8 Mar 2015 17:18:28 +0000
From: John Haxby <>
Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777

> On 7 Mar 2015, at 03:54, Kurt Seifried <> wrote:
> On 06/03/15 06:08 AM, John Haxby wrote:
>> On 06/03/15 01:02, Kurt Seifried wrote:
>>> Please contact your TAM/GSS with this request, it carries a lot
>>> more impact if customers want something that we also want.
>> I know "me too" isn't helpful, but I'm going to say "me too" anyway.
>> It occurred to me that we could have a patch that has a global switch
>> (eg a file in, say, /etc/sysconfig and a corresponding switch for
>> individual applications) that switches on the correct behaviour.   I
>> know it's a bit of a mess, but that way people who don't care will
>> continue in blissful ignorance and people that do care can do
>> something about it.
> That would be one way. But why can't Oracle build it and open source it?
> Oracle has a Linux distribution too I thought? Or do you need Red Hat
> engineering to do it first? If so as I said, customer cases carry far
> more weight than oss-security for feature requests.

Sorry, I didn’t mean to imply that Red Hat should do this first.   I’m also sorry if this came across as antagonistic: my intention was to try to find a way forward that would be beneficial to us both and to everyone else.

There is no reason at all why I should not do this, but I would rather do it with broad agreement.   There is also absolutely no way this could be done as closed-source and I’m not sure why you think I could or would do that.

If both Red Hat have customer requests then that would help everyone would it not?


>> jch
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Download attachment "signature.asc" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ