Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Mar 2015 21:59:13 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not
 checking hostnames in certs properly CVE-2015-1777

On 10 March 2015 at 20:41, John Haxby <john.haxby@...cle.com> wrote:
> None of this, however, has anything to do with the matter at hand.  If
> no one from Red Hat is unwilling to cooperate in getting a single
> backward-compatible resolution to incorporating PEP-466 into the
> distro python versions then perhaps someone else is.
>
> If there's interest, I'll gladly work with anyone who wants to find a
> way to do this.   This is just me trying, as usual, to do the best by
> everyone.  I don't speak for Oracle, I'm not paid enough for that, I'm
> just trying to make sure that we don't wind up with a backported fix
> that makes the overall situation worse.

I'm happy to help work on this.

The two ways to attack this seem to be:

1) Use alternatives for the ssl module, and a new package has a
higher priority version of the module.

2) Include both versions of the module under different names, and
have a script that symlinks the correct one in place.  This may work
better in chroot environments, etc.

Regards,
  Michael

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ