Date: Sun, 8 Mar 2015 17:18:28 +0000 From: John Haxby <john.haxby@...cle.com> To: oss-security@...ts.openwall.com Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 > On 7 Mar 2015, at 03:54, Kurt Seifried <kseifried@...hat.com> wrote: > > On 06/03/15 06:08 AM, John Haxby wrote: >> On 06/03/15 01:02, Kurt Seifried wrote: >>> Please contact your TAM/GSS with this request, it carries a lot >>> more impact if customers want something that we also want. >> >> >> I know "me too" isn't helpful, but I'm going to say "me too" anyway. >> >> It occurred to me that we could have a patch that has a global switch >> (eg a file in, say, /etc/sysconfig and a corresponding switch for >> individual applications) that switches on the correct behaviour. I >> know it's a bit of a mess, but that way people who don't care will >> continue in blissful ignorance and people that do care can do >> something about it. > > That would be one way. But why can't Oracle build it and open source it? > Oracle has a Linux distribution too I thought? Or do you need Red Hat > engineering to do it first? If so as I said, customer cases carry far > more weight than oss-security for feature requests. Sorry, I didn’t mean to imply that Red Hat should do this first. I’m also sorry if this came across as antagonistic: my intention was to try to find a way forward that would be beneficial to us both and to everyone else. There is no reason at all why I should not do this, but I would rather do it with broad agreement. There is also absolutely no way this could be done as closed-source and I’m not sure why you think I could or would do that. If both Red Hat have customer requests then that would help everyone would it not? jch > >> jch > > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > Download attachment "signature.asc" of type "application/pgp-signature" (237 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.