Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 24 Feb 2011 10:28:34 -0700
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Shawn M Moore <sartak@...tpractical.com>, security@...tpractical.com,
        Jan Lieskovsky <jlieskov@...hat.com>
Subject: Re: Re: CVE Request -- rt3 -- two issues: 1) Improper
 management of form data resubmittion upon user log out 2) SQL queries
 information leak by user account transition

* [2011-02-24 18:02:06 +0100] Ralf Corsepius wrote:

>On 02/24/2011 05:45 PM, Vincent Danen wrote:
>>* [2011-02-23 14:06:58 -0500] Josh Bressers wrote:
>>
>>>>Is Redhat packaging RT now, or are you just handling the CVEs?
>>>
>>>I'm not aware of Red Hat packaging RT. I'm just assign CVE ids to
>>>public issues.
>>
>Folks, my feel is you all are picking on words and details.

It is possible that Josh didn't realize it was packaged in Fedora and
EPEL (we do package quite a few things).

>>RT3 is packaged in Fedora and EPEL.
>>
>Correct. rt3 is community maintained in Fedora and RHEL. I am doing 
>so for Fedora and other people do for RHEL.
>So, strictly speaking it's not "Red Hat packaged", but 
>community-contributed to "Red Hat owned products" (Fedora rsp. Fedora 
>EPEL) and some folks @RH are filing CVS against it, for reasons I 
>don't know.

I'm not sure what you mean by that last statement (filing CVS against
it).  Do you mean filing bugs?

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ