Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777

[John Haxby <john.haxby () oracle com>]

> On 7 Mar 2015, at 03:54, Kurt Seifried <kseifried () redhat com> wrote:
>
> On 06/03/15 06:08 AM, John Haxby wrote:
> > On 06/03/15 01:02, Kurt Seifried wrote:
> > > Please contact your TAM/GSS with this request, it carries a lot
> > > more impact if customers want something that we also want.
> >
> >
> > I know "me too" isn't helpful, but I'm going to say "me too" anyway.
> >
> > It occurred to me that we could have a patch that has a global switch
> > (eg a file in, say, /etc/sysconfig and a corresponding switch for
> > individual applications) that switches on the correct behaviour.   I
> > know it's a bit of a mess, but that way people who don't care will
> > continue in blissful ignorance and people that do care can do
> > something about it.
>
> That would be one way. But why can't Oracle build it and open source it?
> Oracle has a Linux distribution too I thought? Or do you need Red Hat
> engineering to do it first? If so as I said, customer cases carry far
> more weight than oss-security for feature requests.


Sorry, I didn’t mean to imply that Red Hat should do this first.   I’m also sorry if this came across as antagonistic: 
my intention was to try to find a way forward that would be beneficial to us both and to everyone else.

There is no reason at all why I should not do this, but I would rather do it with broad agreement.   There is also 
absolutely no way this could be done as closed-source and I’m not sure why you think I could or would do that.

If both Red Hat have customer requests then that would help everyone would it not?

jch

> > jch
>
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail