Date: Wed, 1 Jun 2011 18:07:08 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: openssl timing attack CERT, Thomas, Josh, all - On Tue, May 31, 2011 at 03:44:40PM -0400, Josh Bressers wrote: > ----- Original Message ----- > > looks like this following has not CVE-ID assigned yet: > > http://www.kb.cert.org/vuls/id/536044 > > Please use CVE-2011-1945. Thanks! The CERT Vulnerability Note says: "Date Public: 2011-05-17", yet this was only brought to oss-security on the 31st. According to the Vulnerability Note, CERT notified a handful of distros, but definitely by far not all those shipping OpenSSL (which would be unrealistic) and not all those CERT had been notifying of similar issues before (which was realistic). I am not too concerned about the issue itself and about the more restricted advance notification, but I am concerned about the delay between CERT making a Vulnerability Note public and us (as well as many others) learning of it (via oss-security in this case). Maybe there's something to improve in this area. I went to http://www.us-cert.gov/cas/signup.html to see if there's a public CERT mailing list I should be on in order to receive new Vulnerability Notes (that are being made public) with no delay (or at least with less delay). Unfortunately, for Vulnerability Notes there appears to be an Atom feed only, no mailing list (which I'd prefer). Perhaps set one up? Also, do we possibly want all Open Source software security issues to be brought to oss-security, even if they already have CVE IDs assigned? For example, don't we want all issues discussed on the Linux distros closed list to eventually be mentioned in here (in addition to the distro vendor advisories)? I think we do. Ditto for stuff handled via US-CERT and other CERTs. Once again, I am not too concerned about the specific OpenSSL issue, which even the OpenSSL team does not find important enough to warrant a security fix release (according to their vendor statement to CERT), although I like the research behind it. I just think that it's an opportunity for us to learn to avoid such two-week post-disclosure delays in the future, potentially for more severe issues. I'd appreciate any comments. Thanks, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ