oss-sec mailing list archives

Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 06 Mar 2015 20:54:47 -0700

On 06/03/15 06:08 AM, John Haxby wrote:

On 06/03/15 01:02, Kurt Seifried wrote:

Please contact your TAM/GSS with this request, it carries a lot
more impact if customers want something that we also want.



I know "me too" isn't helpful, but I'm going to say "me too" anyway.

It occurred to me that we could have a patch that has a global switch
(eg a file in, say, /etc/sysconfig and a corresponding switch for
individual applications) that switches on the correct behaviour.   I
know it's a bit of a mess, but that way people who don't care will
continue in blissful ignorance and people that do care can do
something about it.


That would be one way. But why can't Oracle build it and open source it?
Oracle has a Linux distribution too I thought? Or do you need Red Hat
engineering to do it first? If so as I said, customer cases carry far
more weight than oss-security for feature requests.

jch



-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 04)
- Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Donald Stufft (Mar 04)
  - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 04)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 05)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 05)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Michael Samuel (Mar 05)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 05)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 06)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 06)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 08)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 09)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 09)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 09)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 10)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Michael Samuel (Mar 10)
    - Re: PEP-466 common compatible implementation. (was ... CVE-2015-1777) John Haxby (Mar 10)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 Kurt Seifried (Mar 10)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 10)
    - Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 John Haxby (Mar 10)

(Thread continues...)