Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 20 Apr 2015 13:01:58 -0400
From: Dan McDonald <danmcd@...iti.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com,
 Dan McDonald <danmcd@...iti.com>
Subject: Re: CVE request - illumos

Addressing one part publically:

> On Apr 20, 2015, at 12:34 PM, cve-assign@...re.org wrote:

<SNIP!>

> The cve-assign@...re.org address can be used for non-public requests
> for illumos CVEs. There may be other options for the open-source
> parts, but we think that not all of illumos is open source.
> http://wiki.illumos.org/display/illumos/illumos+FAQs says "There still
> remain some binary-only, closed source components that we inherited
> from Oracle." If the component also affects an Oracle product, then
> Oracle could assign the CVE ID.

The closed-source bits leftover from Oracle will never be updated, because Oracle unceremoniously closed the old OpenSolaris project without even telling the community (the  community found out via a leaked internal email).

Illumos is its own entity, and we'd only be asking for CVE entries based on what is open-sourced, modulo some really REALLY bizarre corner-case I can't imagine, but whose (remote) possibility I won't dismiss.

There is always a chance that illumos has some problem that ALSO exists in now-closed Oracle Solaris (or perhaps in still open-sourced components that are common to both), but please do not equate the two as a rule of thumb.

Thanks,
Dan

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ