Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jul 2011 02:37:46 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: dfncert@...-cert.de
Subject: Re: CVE request: vulnerability in FreeRADIUS (OCSP)

Hi,

We have almost 800 subscribers on oss-security, but DFN-CERT doesn't
appear to be subscribed - so I've re-added the CC on this reply, and
I'll over-quote a little.

dfncert@...-cert.de wrote:
> > We would be willing to provide the patch to all Linux distributors
> > but we do not want to release the patch publicly and wait for the
> > official patch by the packet maintainer of FreeRADIUS.

On Tue, Jul 19, 2011 at 12:06:15AM +0200, Stefan Behte wrote:
> Then posting it to the new vendor-sec (linux-distros@...openwall.org)
> sounds like the right thing to do.

This is not exactly the new vendor-sec.  As the name suggests, it is a
Linux distros only list.  Also, please note that the maximum acceptable
embargo period on this list is 14 days.  We need to communicate this
detail to whoever we're asking to disclose anything to the list, before
they disclose.  When posting to the list, you may encrypt messages to
the attached key.

For FreeRADIUS specifically, it sounds like non-Linux vendors could be
interested as well.  DFN-CERT did mention Linux distros specifically in
the quote above, so the suggestion to use the list was appropriate, but
perhaps requests from other distros shipping FreeRADIUS should be
accommodated as well.  If something like this arrived to the Linux
distros list without prior discussion on oss-security, I would bring
this up and suggest that we contact *BSD's at least.  Since this is
already on oss-security, I assume that interested *BSD's and others may
ask DFN-CERT themselves. ;-)

> Gentoo complies to your requirements
> and would like to get the patch directly, if you do not plan to send it
> there.

Alexander

View attachment "linux-distros.asc" of type "text/plain" (1858 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.