RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code

[Sona Sarmadi <sona.sarmadi () enea com>]

> Unfortunately, there are currently several pending requests that I feel fall in
> the gray area (some are in here, and some off-list, which I surely would
> require bringing to oss-security before they may possibly be satisfied), and
> this bothers me.  Arguably, this indicates that we're beyond the (very
> limited) time period where I could reasonably host a vendor-sec replacement
> list without it becoming too controversial.  So I think that we'll need to discuss
> several other requests before we approach yours, and I just fail to find time
> to get into that lately.
>
> That said, the first link from:
>
> http://oss-security.openwall.org/wiki/vendors#enea
>
> currently leads to:
>
> http://mail.lists.enea.com/pipermail/security-announce/
>
> and this shows:
>
> "The Security-announce Archives
>
> No messages have been posted to this list yet, so the archives are currently
> empty."
>
> Why is that?  We'd need some way to see that you're actually issuing security
> updates, and how promptly you do that.

Alexander,

We have actually sent advisories to this list! There must be some misconfiguration in the mailing list archive server, 
I have put an IT guy on it. "I can provide you  "Security Notification" we sent on Sep 25 or any other" if you want.

This list is mainly for critical vulnerabilities (such as Heartbleed & Shellshock.. ) which we encourage Enea Linux 
users to update security patches immediately.

Some of our customers are using Enea products in deeply embedded products, and thus are not exposed to the outside 
world (Internet). They don't want to get security or other updates frequently. The other customers who are affected and 
want security updates, normally they have special desire/requirements (for instance some customers want monthly 
updates, some want the fixes in their specific branch directly etc.. ) So we provide security and other updates to 
customers based on our agreements with the customers through their contact channels and not via ESRT team. We don't 
send security advisories for these kind of updates. 
 
Our security strategy is to help Open Embedded, Yocto & vendor-kernels to backport security patches from mainline/ 
stable k.org/ upstream project as soon as possible so that not only Enea customers but all yocto users can get updates 
from yocto. We save time and also contribute back to the community. 
 
I believe that those vendors who are using Open Source products, they get more benefits if they collaborate with 
community rather than work isolated in their own world.   
 
Regarding letting some security researchers who are not employed with any specific distro onto the list: I am not in 
the position to decide this (I am not myself in :) ) but my personal opinion is that if a researcher is reliable and 
known and burns for security, why not. Most of the time this kind of persons help more because of their passion and 
desire :) they are normally not paid but they put their soul into detecting and solving security vulnerabilities. I 
just wish that there could be something that the distros could do for these people. If they are freelance, maybe the 
distros could give them different commitment/project, so they could get paid for their hard work :)

Cheers
/Sona