Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 21 Feb 2008 11:43:17 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: code review CVS

* [2008-02-21 08:49:52 +0000] Mark J Cox wrote:

>> hahah... as Mark can attest, you're not the only one.  I've had to email
>> him a few times looking for some obscure src.rpm.
>
> We give the full path in our emailed advisories (except for the cases where 
> we are shipping something not open source like java/acroread) but the paths 
> are not in the web based versions.  So 
> http://www.redhat.com/archives/rhsa-announce/ since Nov 2007, or for older 
> stuff http://www.redhat.com/archives/enterprise-watch-list/
>
> Once you get a rpm then unpacking it without installing it is easy:
> rpm2cpio fn.rpm | cpio --make-directories --extract
>
> And we nearly always ship the pristine upstream tarball along with each 
> patch separately (exception being things like OpenSSL).
>
> This is definately material for a 'how to find out how the vendor fixed 
> this' page.

Looks like Kees beat me to it:

http://oss-security.openwall.org/wiki/distro-patches

I've added Red Hat to this list based on the above info.

-- 
Vincent Danen @ http://linsec.ca/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ