Date: Mon, 2 May 2011 12:57:16 -0500 From: Mark Hatle <mark.hatle@...driver.com> To: Solar Designer <solar@...nwall.com> CC: <oss-security@...ts.openwall.com> Subject: Re: [security-vendor] Re: Closed list > Hi Hui, > > On Thu, Apr 28, 2011 at 02:24:58PM +0800, Hui Zhu wrote: >> > Please add me to the new maillist. I am from Wind River. > Wind River is not yet being added to the new list: > > http://www.openwall.com/lists/oss-security/2011/04/24/6 > > Hence, I've saved your subscription request to a separate folder, to > revisit it if a decision is made to start adding "closed" vendors to the > list, if Wind River starts to publish advisories and updates (in other > words, if it becomes no more closed than Red Hat), or if a suitable > separate list is setup. > While I have not personally applied for the closed vendor list, our current security contact has. I thought I would attempt to explain briefly what we publicly disclose and what we do not. If this changes your stance on allowing us into the closed list that is fine, if not then keep this as background information for the future. Wind River provides a public RSS feed with the advisories for our currently supported products. However, to get to the download you need to be a customer. The information in the RSS feed is accurate as to the description of the issue, the only thing not published is the fixes themselves (note, these fixes don't make sense if you are not a Wind River customer) along with installation notes. The RSS feeds for our three currently support product versions are: Wind River Linux 2.x : http://www.windriver.com/feeds/wrlinux_200.xml Wind River Linux 3.x : http://www.windriver.com/feeds/wrlinux_300.xml Wind River Linux 4.x : http://www.windriver.com/feeds/wrlinux_400.xml What is in these RSS feeds? We have two primary items in the list. 1) The first is a security bulletin. The purpose of this is to simply tell customers what issues we are aware of, if the issue affects our product(s), if we are working on a fix [or not]. (This is similar to a CVE list...) 2) Individual patches for specific problems. Note, not all of the issues here are security related. If they are we have always followed the rules of disclosure according to how we have found our specific issues. [i.e. CERT has one set of rules, vendor-sec had another, customers may have a different set.. etc.] I'll focus on the individual service packs, as that most closely represents an update as mentioned above. For example for the RSS feed for 4.x has the recent entry of: Wind River Linux 4.1 Release Product Cumulative patch for openldap April 20, 2011 2:10 AM The following defect(s) have been fixed in this cumulative patch for the Wind River openldap:WIND00266366 Security Advisory - openldap - CVE-2011-1081WIND00266365 Security Advisory - openldap - CVE-2011-1024WIND00266364 Security Advisory - openldap - CVE-2011-1025 By following the link to the customer support site (and logging in as a customer), a person would see the following in addition to the information from the RSS feed: (I apologize for the formatting, but this should explain what we have...) NAME: Wind River Linux 4.1 Release Product Cumulative patch for openldap SUMMARY: Wind River Linux 4.1 Release Product Cumulative patch for openldap PRODUCT VERSION: Wind River Linux 4.x TYPE: Patch DOWNLOADS: 1. WRL_4_1-layers-wrll_userspace_networking-tgt-openldap-20110414-spin1.zip DESCRIPTION: The following defect(s) have been fixed in this cumulative patch for the Wind River openldap: WIND00266366 Security Advisory - openldap - CVE-2011-1081 WIND00266365 Security Advisory - openldap - CVE-2011-1024 WIND00266364 Security Advisory - openldap - CVE-2011-1025 Change List: /layers/wrll-userspace/networking/dist/openldap/Makefile /layers/wrll-userspace/networking/dist/openldap/patches/openldap-fix-CVE-2011-1025.patch /layers/wrll-userspace/networking/dist/openldap/patches/patches.list /layers/wrll-userspace/networking/dist/openldap/patches/openldap-fix-CVE-2011-1024.patch /layers/wrll-userspace/networking/dist/openldap/patches/openldap-fix-CVE-2011-1081.patch DEPENDENCIES/CAVEATS: Requires Wind River Linux 4 Update Pack 1 (4.1) to be installed INSTALLATION: 1. Unzip this patch under [install_dir]/updates 2. From the [install_dir]/updates directory, run the command "../maintenance/wrInstaller/x86-linux2/wrInstaller" 3. Follow the instructions for installing the point patch. 4. This is a source only patch so you will have to rebuild the openldap package. This can be done by executing the command "make -C build openldap.distclean" followed by "make -C build openldap.rebuild" 5. Run "make fs" next 6. Upload the kernel and rootfs into the target and boot it up. DATE: 20 April 2011 REVISION:Add file WRL_4_1-layers-wrll_userspace_networking-tgt-openldap-20110414-spin1.zip and includes fix to defect WIND00266366 WIND00266365 WIND00266364
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.