Re: CVE request: vulnerability in FreeRADIUS (OCSP)

[Solar Designer <solar () openwall com>]

On Tue, Jul 19, 2011 at 02:37:46AM +0400, Solar Designer wrote:
> On Tue, Jul 19, 2011 at 12:06:15AM +0200, Stefan Behte wrote:
> > Then posting it to the new vendor-sec (linux-distros () vs openwall org)
> > sounds like the right thing to do.
>
> This is not exactly the new vendor-sec.  As the name suggests, it is a
> Linux distros only list.  Also, please note that the maximum acceptable
> embargo period on this list is 14 days.  We need to communicate this
> detail to whoever we're asking to disclose anything to the list, before
> they disclose.  When posting to the list, you may encrypt messages to
> the attached key.

I've just described the new list and some of its policies in the newly
added "Linux distribution security contacts list" section at:

http://oss-security.openwall.org/wiki/mailing-lists/vendor-sec

Maybe this will need to be moved to its own wiki page or to a wiki page
on multiple non-historical closed lists if we ever host several at once.
(Non-Linux lists may be setup if there's demand.)

Alexander