Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 2 May 2011 12:57:16 -0500
From: Mark Hatle <mark.hatle@...driver.com>
To: Solar Designer <solar@...nwall.com>
CC: <oss-security@...ts.openwall.com>
Subject: Re: [security-vendor] Re: Closed list

> Hi Hui,
> 
> On Thu, Apr 28, 2011 at 02:24:58PM +0800, Hui Zhu wrote:
>> > Please add me to the new maillist.  I am from Wind River.
> Wind River is not yet being added to the new list:
> 
> http://www.openwall.com/lists/oss-security/2011/04/24/6
> 
> Hence, I've saved your subscription request to a separate folder, to
> revisit it if a decision is made to start adding "closed" vendors to the
> list, if Wind River starts to publish advisories and updates (in other
> words, if it becomes no more closed than Red Hat), or if a suitable
> separate list is setup.
> 

While I have not personally applied for the closed vendor list, our current
security contact has.  I thought I would attempt to explain briefly what we
publicly disclose and what we do not.  If this changes your stance on allowing
us into the closed list that is fine, if not then keep this as background
information for the future.

Wind River provides a public RSS feed with the advisories for our currently
supported products.  However, to get to the download you need to be a customer.
 The information in the RSS feed is accurate as to the description of the issue,
the only thing not published is the fixes themselves (note, these fixes don't
make sense if you are not a Wind River customer) along with installation notes.

The RSS feeds for our three currently support product versions are:

Wind River Linux 2.x : http://www.windriver.com/feeds/wrlinux_200.xml

Wind River Linux 3.x : http://www.windriver.com/feeds/wrlinux_300.xml

Wind River Linux 4.x : http://www.windriver.com/feeds/wrlinux_400.xml


What is in these RSS feeds?  We have two primary items in the list.

1) The first is a security bulletin.  The purpose of this is to simply tell
customers what issues we are aware of, if the issue affects our product(s), if
we are working on a fix [or not].  (This is similar to a CVE list...)

2) Individual patches for specific problems.  Note, not all of the issues here
are security related.  If they are we have always followed the rules of
disclosure according to how we have found our specific issues.  [i.e. CERT has
one set of rules, vendor-sec had another, customers may have a different set.. etc.]


I'll focus on the individual service packs, as that most closely represents an
update as mentioned above.

For example for the RSS feed for 4.x has the recent entry of:

Wind River Linux 4.1 Release Product Cumulative patch for openldap
April 20, 2011 2:10 AM

The following defect(s) have been fixed in this cumulative patch for the Wind
River openldap:WIND00266366       Security Advisory - openldap -
CVE-2011-1081WIND00266365       Security Advisory - openldap -
CVE-2011-1024WIND00266364       Security Advisory - openldap - CVE-2011-1025


By following the link to the customer support site (and logging in as a
customer), a person would see the following in addition to the information from
the RSS feed:  (I apologize for the formatting, but this should explain what we
have...)

NAME:	Wind River Linux 4.1 Release Product Cumulative patch for openldap
SUMMARY:	Wind River Linux 4.1 Release Product Cumulative patch for openldap
PRODUCT VERSION:	Wind River Linux 4.x
TYPE:	Patch
DOWNLOADS:	1.
WRL_4_1-layers-wrll_userspace_networking-tgt-openldap-20110414-spin1.zip

DESCRIPTION:
The following defect(s) have been fixed in this cumulative patch for the Wind
River openldap:

WIND00266366       Security Advisory - openldap - CVE-2011-1081
WIND00266365       Security Advisory - openldap - CVE-2011-1024
WIND00266364       Security Advisory - openldap - CVE-2011-1025

Change List:
/layers/wrll-userspace/networking/dist/openldap/Makefile
/layers/wrll-userspace/networking/dist/openldap/patches/openldap-fix-CVE-2011-1025.patch
/layers/wrll-userspace/networking/dist/openldap/patches/patches.list
/layers/wrll-userspace/networking/dist/openldap/patches/openldap-fix-CVE-2011-1024.patch
/layers/wrll-userspace/networking/dist/openldap/patches/openldap-fix-CVE-2011-1081.patch

DEPENDENCIES/CAVEATS: Requires Wind River Linux 4 Update Pack 1 (4.1) to be
installed

INSTALLATION:	

1. Unzip this patch under [install_dir]/updates
2. From the [install_dir]/updates directory, run the command
"../maintenance/wrInstaller/x86-linux2/wrInstaller"
3. Follow the instructions for installing the point patch.
4. This is a source only patch so you will have to rebuild the openldap package.
This can be done by executing the command "make -C build openldap.distclean"
followed by "make -C build openldap.rebuild"
5. Run "make fs" next
6. Upload the kernel and rootfs into the target and boot it up.


DATE: 20 April 2011

REVISION:Add file
WRL_4_1-layers-wrll_userspace_networking-tgt-openldap-20110414-spin1.zip and
includes fix to defect WIND00266366 WIND00266365 WIND00266364

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.