'[oss-security] Re: [videolan] [oss-security] older issues in libbluray'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: [videolan] [oss-security] older issues in libbluray
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2015-02-23 15:40:26
Message-ID: 54EB49EA.9020905 () redhat ! com
[Download RAW message or body]


So the good news/bad news is I'm finished cleaning out about 20 older
bugs that were embargoed and not properly handled (mostly due to them
stalling and then being forgotten I guess, some were from 6 years ago,
well before I even worked for Red Hat).

Again my apologies for this mess. The good news is that all our current
embargoed flaws (none against VLC currently =) are being actively
handled (e.g. worked on in a current time frame) and moving forwards we
should hopefully be able to avoid issues like this.

Also one request (not just specific to VLC, but everyone with a
project): please have a security@ email address for your project or a
security web page that makes it obvious how to contact and report things
privately, this is a common problem and easily solved (and will make it
much easier for people to report issues).

I just recently found myself emailing random security@ addresses at
other projects to see if they bounce or not. I still have no idea if the
projects received my security report (no bounce so here's hoping!).

On 23/02/15 01:52 AM, Jean-Baptiste Kempf wrote:
> We never were contacted.
> This is not really cool.
> 
> On 22 Feb, Kurt Seifried wrote :
>> With apologies, I tracked down the original report and added it to our
>> BZs. I was also under the impression VideoLan had been contacted but
>> just to ensure this is the case adding them to the CC.
>>
>> On 22/02/15 11:43 AM, Moritz Mühlenhoff wrote:
>>> On Fri, Feb 06, 2015 at 04:21:20PM -0700, Kurt Seifried wrote:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=959434
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=959433
>>>>
>>>> these may warrant a cve
>>>
>>> Have these been reported to libbluray upstream? The
>>> Bugzilla entries are rather scarce on details.
>>>
>>> Cheers,
>>>         Moritz
>>>
>>
>> -- 
>> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>>
> 
> 
> 
>> _______________________________________________
>> videolan mailing list
>> videolan@videolan.org
>> https://mailman.videolan.org/listinfo/videolan
> 
> 

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic