Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 May 2011 12:57:16 -0500
From: Mark Hatle <>
To: Solar Designer <>
CC: <>
Subject: Re: [security-vendor] Re: Closed list

> Hi Hui,
> On Thu, Apr 28, 2011 at 02:24:58PM +0800, Hui Zhu wrote:
>> > Please add me to the new maillist.  I am from Wind River.
> Wind River is not yet being added to the new list:
> Hence, I've saved your subscription request to a separate folder, to
> revisit it if a decision is made to start adding "closed" vendors to the
> list, if Wind River starts to publish advisories and updates (in other
> words, if it becomes no more closed than Red Hat), or if a suitable
> separate list is setup.

While I have not personally applied for the closed vendor list, our current
security contact has.  I thought I would attempt to explain briefly what we
publicly disclose and what we do not.  If this changes your stance on allowing
us into the closed list that is fine, if not then keep this as background
information for the future.

Wind River provides a public RSS feed with the advisories for our currently
supported products.  However, to get to the download you need to be a customer.
 The information in the RSS feed is accurate as to the description of the issue,
the only thing not published is the fixes themselves (note, these fixes don't
make sense if you are not a Wind River customer) along with installation notes.

The RSS feeds for our three currently support product versions are:

Wind River Linux 2.x :

Wind River Linux 3.x :

Wind River Linux 4.x :

What is in these RSS feeds?  We have two primary items in the list.

1) The first is a security bulletin.  The purpose of this is to simply tell
customers what issues we are aware of, if the issue affects our product(s), if
we are working on a fix [or not].  (This is similar to a CVE list...)

2) Individual patches for specific problems.  Note, not all of the issues here
are security related.  If they are we have always followed the rules of
disclosure according to how we have found our specific issues.  [i.e. CERT has
one set of rules, vendor-sec had another, customers may have a different set.. etc.]

I'll focus on the individual service packs, as that most closely represents an
update as mentioned above.

For example for the RSS feed for 4.x has the recent entry of:

Wind River Linux 4.1 Release Product Cumulative patch for openldap
April 20, 2011 2:10 AM

The following defect(s) have been fixed in this cumulative patch for the Wind
River openldap:WIND00266366       Security Advisory - openldap -
CVE-2011-1081WIND00266365       Security Advisory - openldap -
CVE-2011-1024WIND00266364       Security Advisory - openldap - CVE-2011-1025

By following the link to the customer support site (and logging in as a
customer), a person would see the following in addition to the information from
the RSS feed:  (I apologize for the formatting, but this should explain what we

NAME:	Wind River Linux 4.1 Release Product Cumulative patch for openldap
SUMMARY:	Wind River Linux 4.1 Release Product Cumulative patch for openldap
PRODUCT VERSION:	Wind River Linux 4.x
TYPE:	Patch

The following defect(s) have been fixed in this cumulative patch for the Wind
River openldap:

WIND00266366       Security Advisory - openldap - CVE-2011-1081
WIND00266365       Security Advisory - openldap - CVE-2011-1024
WIND00266364       Security Advisory - openldap - CVE-2011-1025

Change List:

DEPENDENCIES/CAVEATS: Requires Wind River Linux 4 Update Pack 1 (4.1) to be


1. Unzip this patch under [install_dir]/updates
2. From the [install_dir]/updates directory, run the command
3. Follow the instructions for installing the point patch.
4. This is a source only patch so you will have to rebuild the openldap package.
This can be done by executing the command "make -C build openldap.distclean"
followed by "make -C build openldap.rebuild"
5. Run "make fs" next
6. Upload the kernel and rootfs into the target and boot it up.

DATE: 20 April 2011

REVISION:Add file and
includes fix to defect WIND00266366 WIND00266365 WIND00266364

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.