oss-sec mailing list archives
Re: CVE request: vulnerability in FreeRADIUS (OCSP)
From: Solar Designer <solar () openwall com>
Date: Tue, 19 Jul 2011 02:37:46 +0400
Hi, We have almost 800 subscribers on oss-security, but DFN-CERT doesn't appear to be subscribed - so I've re-added the CC on this reply, and I'll over-quote a little. dfncert () dfn-cert de wrote:
We would be willing to provide the patch to all Linux distributors but we do not want to release the patch publicly and wait for the official patch by the packet maintainer of FreeRADIUS.
On Tue, Jul 19, 2011 at 12:06:15AM +0200, Stefan Behte wrote:
Then posting it to the new vendor-sec (linux-distros () vs openwall org) sounds like the right thing to do.
This is not exactly the new vendor-sec. As the name suggests, it is a Linux distros only list. Also, please note that the maximum acceptable embargo period on this list is 14 days. We need to communicate this detail to whoever we're asking to disclose anything to the list, before they disclose. When posting to the list, you may encrypt messages to the attached key. For FreeRADIUS specifically, it sounds like non-Linux vendors could be interested as well. DFN-CERT did mention Linux distros specifically in the quote above, so the suggestion to use the list was appropriate, but perhaps requests from other distros shipping FreeRADIUS should be accommodated as well. If something like this arrived to the Linux distros list without prior discussion on oss-security, I would bring this up and suggest that we contact *BSD's at least. Since this is already on oss-security, I assume that interested *BSD's and others may ask DFN-CERT themselves. ;-)
Gentoo complies to your requirements and would like to get the patch directly, if you do not plan to send it there.
Alexander
Attachment:
linux-distros.asc
Description:
Current thread:
- CVE request: vulnerability in FreeRADIUS (OCSP) dfncert (Jul 15)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Vincent Danen (Jul 15)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) dfncert (Jul 18)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Ludwig Nussel (Jul 18)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) dfncert (Jul 18)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Stefan Behte (Jul 18)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Solar Designer (Jul 18)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Tim Zingelman (Jul 18)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Solar Designer (Jul 19)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Tim Zingelman (Jul 19)
- *BSD security contacts (was: CVE request: vulnerability in FreeRADIUS (OCSP)) Solar Designer (Jul 19)
- Re: *BSD security contacts (was: CVE request: vulnerability in FreeRADIUS (OCSP)) Tim Zingelman (Jul 21)
- Re: *BSD security contacts Solar Designer (Jul 21)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) dfncert (Jul 18)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Vincent Danen (Jul 15)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) dfncert (Jul 19)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Tomas Hoger (Jul 19)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) dfncert (Jul 19)
- Re: CVE request: vulnerability in FreeRADIUS (OCSP) Josh Bressers (Jul 20)