Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Oracle Solaris membership in the distros list
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Solar Designer <solar () openwall com>
Date: Fri, 17 Sep 2021 18:49:13 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi Alan,
Thank you for submitting a thorough application. This provides a good
example for other projects applying for (linux-)distros membership.
Please consider this approved, and please e-mail me off-list with a list
of e-mail addresses and PGP keys to use for Oracle Solaris subscription
to the distros list.
On Tue, Sep 14, 2021 at 03:36:21PM -0700, Alan Coopersmith wrote:
On 9/6/21 11:35 AM, Solar Designer wrote:
Help ensure that each message posted to oss-security contains the
most essential information (e.g., vulnerability detail and/or exploit)
directly in the message itself (and in plain text) rather than only by
reference to an external resource, and add the missing information
(e.g., in your own words, by quoting with proper attribution, and/or by
creating and attaching a properly attributed text/plain export of a
previously referenced web page) and remind the original sender of this
requirement (for further occasions) in a "reply" posting when necessary
That seems like something we could help with.
Please do. I've just listed Oracle Solaris for this task on the wiki.
I also note that there are
many vulnerabilities we discover in the FOSS packages we ship that never
make it to this list - when the researchers or project maintainers don't
send notices to oss-security, should folks like us at least give a heads
up here?
One obvious one in the last week was the highly publicized Ghostscript
"0 day" - aka CVE-2021-3781, for which the upstream bug report is at
https://bugs.ghostscript.com/show_bug.cgi?id=704342 and media report at
https://therecord.media/ghostscript-zero-day-allows-full-server-compromises
(and yes, as noted in the above quote, an actual report to the list
needs more details than just these url's).
Of course, we ship a smaller subset of FOSS than most Linux distros do,
so we won't spot everything, but can help contribute to a larger effort.
Yes, I had thought of this problem too - and yes, I think it would be
helpful to the community if more issues were brought in here. Please
feel free to help with that. Thank you!
I'm not sure if we can/should list this as one of the contributing-back
tasks because it has no clear scope.
Alexander
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Oracle Solaris membership in the distros list Alan Coopersmith (Aug 24)
Re: Oracle Solaris membership in the distros list Solar Designer (Sep 06)
Re: Oracle Solaris membership in the distros list Alan Coopersmith (Sep 14)
Re: Oracle Solaris membership in the distros list Solar Designer (Sep 17)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->