[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Oracle Solaris membership in the distros list
From:       Solar Designer <solar () openwall ! com>
Date:       2021-09-17 16:49:13
Message-ID: 20210917164913.GA10425 () openwall ! com
[Download RAW message or body]

Hi Alan,

Thank you for submitting a thorough application.  This provides a good
example for other projects applying for (linux-)distros membership.

Please consider this approved, and please e-mail me off-list with a list
of e-mail addresses and PGP keys to use for Oracle Solaris subscription
to the distros list.

On Tue, Sep 14, 2021 at 03:36:21PM -0700, Alan Coopersmith wrote:
> On 9/6/21 11:35 AM, Solar Designer wrote:
> >     Help ensure that each message posted to oss-security contains the
> >most essential information (e.g., vulnerability detail and/or exploit)
> >directly in the message itself (and in plain text) rather than only by
> >reference to an external resource, and add the missing information
> >(e.g., in your own words, by quoting with proper attribution, and/or by
> >creating and attaching a properly attributed text/plain export of a
> >previously referenced web page) and remind the original sender of this
> >requirement (for further occasions) in a "reply" posting when necessary
> 
> That seems like something we could help with.

Please do.  I've just listed Oracle Solaris for this task on the wiki.

> I also note that there are
> many vulnerabilities we discover in the FOSS packages we ship that never
> make it to this list - when the researchers or project maintainers don't
> send notices to oss-security, should folks like us at least give a heads
> up here?
> 
> One obvious one in the last week was the highly publicized Ghostscript
> "0 day" - aka CVE-2021-3781, for which the upstream bug report is at
> https://bugs.ghostscript.com/show_bug.cgi?id=704342 and media report at
> https://therecord.media/ghostscript-zero-day-allows-full-server-compromises
> (and yes, as noted in the above quote, an actual report to the list
>  needs more details than just these url's).
> 
> Of course, we ship a smaller subset of FOSS than most Linux distros do,
> so we won't spot everything, but can help contribute to a larger effort.

Yes, I had thought of this problem too - and yes, I think it would be
helpful to the community if more issues were brought in here.  Please
feel free to help with that.  Thank you!

I'm not sure if we can/should list this as one of the contributing-back
tasks because it has no clear scope.

Alexander
[prev in list] [next in list] [prev in thread] [next in thread]