Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 17 Sep 2021 18:49:13 +0200
From: Solar Designer <solar@...nwall.com>
To: Alan Coopersmith <alan.coopersmith@...cle.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Oracle Solaris membership in the distros list

Hi Alan,

Thank you for submitting a thorough application.  This provides a good
example for other projects applying for (linux-)distros membership.

Please consider this approved, and please e-mail me off-list with a list
of e-mail addresses and PGP keys to use for Oracle Solaris subscription
to the distros list.

On Tue, Sep 14, 2021 at 03:36:21PM -0700, Alan Coopersmith wrote:
> On 9/6/21 11:35 AM, Solar Designer wrote:
> >     Help ensure that each message posted to oss-security contains the
> >most essential information (e.g., vulnerability detail and/or exploit)
> >directly in the message itself (and in plain text) rather than only by
> >reference to an external resource, and add the missing information
> >(e.g., in your own words, by quoting with proper attribution, and/or by
> >creating and attaching a properly attributed text/plain export of a
> >previously referenced web page) and remind the original sender of this
> >requirement (for further occasions) in a "reply" posting when necessary
> 
> That seems like something we could help with.

Please do.  I've just listed Oracle Solaris for this task on the wiki.

> I also note that there are
> many vulnerabilities we discover in the FOSS packages we ship that never
> make it to this list - when the researchers or project maintainers don't
> send notices to oss-security, should folks like us at least give a heads
> up here?
> 
> One obvious one in the last week was the highly publicized Ghostscript
> "0 day" - aka CVE-2021-3781, for which the upstream bug report is at
> https://bugs.ghostscript.com/show_bug.cgi?id=704342 and media report at
> https://therecord.media/ghostscript-zero-day-allows-full-server-compromises
> (and yes, as noted in the above quote, an actual report to the list
>  needs more details than just these url's).
> 
> Of course, we ship a smaller subset of FOSS than most Linux distros do,
> so we won't spot everything, but can help contribute to a larger effort.

Yes, I had thought of this problem too - and yes, I think it would be
helpful to the community if more issues were brought in here.  Please
feel free to help with that.  Thank you!

I'm not sure if we can/should list this as one of the contributing-back
tasks because it has no clear scope.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.