Date: Fri, 17 Sep 2021 18:49:13 +0200 From: Solar Designer <solar@...nwall.com> To: Alan Coopersmith <alan.coopersmith@...cle.com> Cc: oss-security@...ts.openwall.com Subject: Re: Oracle Solaris membership in the distros list Hi Alan, Thank you for submitting a thorough application. This provides a good example for other projects applying for (linux-)distros membership. Please consider this approved, and please e-mail me off-list with a list of e-mail addresses and PGP keys to use for Oracle Solaris subscription to the distros list. On Tue, Sep 14, 2021 at 03:36:21PM -0700, Alan Coopersmith wrote: > On 9/6/21 11:35 AM, Solar Designer wrote: > > Help ensure that each message posted to oss-security contains the > >most essential information (e.g., vulnerability detail and/or exploit) > >directly in the message itself (and in plain text) rather than only by > >reference to an external resource, and add the missing information > >(e.g., in your own words, by quoting with proper attribution, and/or by > >creating and attaching a properly attributed text/plain export of a > >previously referenced web page) and remind the original sender of this > >requirement (for further occasions) in a "reply" posting when necessary > > That seems like something we could help with. Please do. I've just listed Oracle Solaris for this task on the wiki. > I also note that there are > many vulnerabilities we discover in the FOSS packages we ship that never > make it to this list - when the researchers or project maintainers don't > send notices to oss-security, should folks like us at least give a heads > up here? > > One obvious one in the last week was the highly publicized Ghostscript > "0 day" - aka CVE-2021-3781, for which the upstream bug report is at > https://bugs.ghostscript.com/show_bug.cgi?id=704342 and media report at > https://therecord.media/ghostscript-zero-day-allows-full-server-compromises > (and yes, as noted in the above quote, an actual report to the list > needs more details than just these url's). > > Of course, we ship a smaller subset of FOSS than most Linux distros do, > so we won't spot everything, but can help contribute to a larger effort. Yes, I had thought of this problem too - and yes, I think it would be helpful to the community if more issues were brought in here. Please feel free to help with that. Thank you! I'm not sure if we can/should list this as one of the contributing-back tasks because it has no clear scope. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.