Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 04 Mar 2011 22:00:56 +1100
From: David Hicks <hickseydr@...usnet.com.au>
To: oss-security@...ts.openwall.com
Subject: Re: Vendor-sec hosting and future of closed lists

On Thu, 2011-03-03 at 13:36 -0800, Kees Cook wrote:
> Several upstreams, though disappointingly not the Linux kernel, are very
> good about keeping their end-users in mind and providing direct distro
> coordination for important security updates (MIT Kerberos comes to mind
> first as a great example). This number of upstreams has been growing,
> but it's not nearly large enough to supplant a vendor-sec-like mailing
> list, IMO.


CVE number assignment: perspective from a small open source project

The MantisBT project (open source web based bug tracking) has been
directly notifying major distributions of bugs which have a notable
security impact. A project specific announcements mailing list, blog,
bug tracker, IRC channel, Twitter account and source repository are also
used to convey information to users about new releases. A number of
notices were also sent to oss-security late last year in response to
vulnerabilities being discovered.

The reason I bring up the long list of notification options is because
of CVE number assignment. It strikes me that one of the key benefits of
CVE numbers is to improve the ease at which a security issue can be
tracked and information gathered via Internet search.

The time when a CVE number is arguably most useful is during the patch,
release announcement and notification processes where it can be used to
tie related information to a single tracking number. From the
perspective of a small open source project, obtaining CVE numbers via
oss-security appears to be a relatively slow process that can take a
number of days to process. Furthermore, oss-security is probably one of
the fastest methods (if not the only method) small open source projects
can use to seek CVE numbers.


Why can't the project embargo the issue until a CVE number is assigned?

A large number of MantisBT users bypass their distribution packaging
system to obtain the software directly (commonly the case for web
applications). Other users do not have packaging systems available on
their platform of choice (Windows or shared web hosting).

MantisBT has typically taken the full disclosure approach in the
interests of providing the fastest possible response time to independent
users. This involves applying a very obvious security patch in the
repository, creating of a new release and loudly notifying users that
they need to upgrade to the new minor release without delay for security
reasons. This process currently occurs prior to a CVE number being
allocated and as such our announcements, mailing list threads, commit
messages, bug reports, etc generally miss out on being tagged with a CVE
reference.

For a smaller niche/boutique distribution which MantisBT does not have
the resources to contact for every vulnerability, they may hear about
the issue first on oss-security. Their usual package maintainer
subscribed to the MantisBT project announcement mailing list may be on
holiday. That's OK though because the security team of the distribution
may pick up on the news from oss-security (correct me if this use case
is incorrect).

I would have thought that it'd be beneficial for the security team (and
any other interested parties) to take a CVE number from the oss-security
thread and perform an Internet search to bring up the maximum amount of
information related to a vulnerability - Internet wide. The most
important information is likely going to be from the open source project
itself - announcements, mailing list threads, commit messages, IRC logs
and bug reports. However blog posts, external mailing list threads, IRC
logs, etc away from the official project communication channels may also
be useful.


Suggestion

Is there a way open source projects can receive CVE numbers in a more
timely fashion? Projects may go for entire years without a vulnerability
and therefore pre-assignment may not be ideal. I suppose that is a
downside of using an incremental integer numbering system. Perhaps some
form of provisional CVE request functionality could exist for registered
open source projects to call upon? Or an increased number of
staff/volunteers within distributions who can assign CVE numbers via
oss-security?


David Hicks
MantisBT Developer
mantisbt.org, #mantishelp freenode

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.