Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 27 Mar 2012 12:18:33 -0700
From: VSR Advisories <advisories@...curity.com>
To: Solar Designer <solar@...nwall.com>
CC: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk, 
 oss-security@...ts.openwall.com
Subject: Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation
  (Multiple office products affected)

Hi Alexander,

As a researcher, I find the distros list a useful resource to enable quick and
simultaneous notification of many open source OS distributions.


> When it became apparent that this was to be violated since one or two of 
> the affected upstreams wanted much more time, the reporter (Timothy D. 
> Morgan of VSR Security) explained that at the time of his initial 
> notification he had thought that 14 days would in fact be enough.  While 
> this sounds like a rather fundamental problem with a maximum embargo time 
> policy (it is always possible that something new is discovered during 
> discussion, which may invalidate the initial time estimate of the 
> reporter), I've just added the following verbiage to hopefully reduce the 
> number of such occurrences going forward:
> 
> "If you have not yet notified upstream projects/developers of the affected 
> software, other affected distro vendors, and/or affected Open Source 
> projects, you may want to do so before notifying one of these mailing
> lists in order to ensure that these other parties are OK with the maximum
> embargo period that would apply (and if not, then you may have to delay
> your notification to the mailing list), unless you're confident you'd
> choose to ignore their preference anyway and disclose the issue publicly
> soon as per the policy stated here."

I think this is a good idea.  I likely misunderstood the process you want
researchers to follow when it comes to using the distros list.  While I think
the time to release for this issue was excessive, I should have nailed down a
release date with the upstreams prior to notifying the distros list.


I'll reserve some additional comments for the oss-security list exclusively.

Thanks,
tim

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.