Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 8 Apr 2014 22:28:24 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Jussi Eronen <juhani.eronen@...ora.fi>
Subject: Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information
 disclosure CVE-2014-0160

On Tue, Apr 08, 2014 at 02:03:46PM -0600, Kurt Seifried wrote:
> So to respond/clear up some points:
> 
> It appears Codenomicon and Google found the vulnerability
> independently. Google reported it to OpenSSL. Codenomicon reported it
> to NCSC-FI, I'm not sure who (Codenomicon or NCSC-FI) drove the
> notification of CloudFlare/etc. and they also reported it to OpenSSL
> (I don't know if that was before or after notifying OpenSSL).

Well, as I put in my tentative timeline, and according to Jussi Eronen
(from NCSC-FI, afaict) mail in that thread, NCSC-FI only reported to
OpenSSL “a couple of hours before the advisory”, so my understand is
that NCSC-FI was not aware of the vulnerability last week.  Maybe
Codenomicon was, though. Jussi, could you confirm that?
> 
> 1) Mark J. Cox did not give Red Hat any advanced warning, he strongly
> separates what he does with OpenSSL with what he does with Red Hat
> (this is quite common at Red Hat, for example we have a guy on the
> Debian security team, the Samba group, etc.). I for example sometimes
> issue private CVE's in advance, but they don't get bugs filed/etc
> until they hit a "public" source like distros@ or oss-security@.
> 
> 2) Mark informed Red Hat and as you can see from the public time line
> Huzaifa entered a bug into BZ and then notified distros@ about 14
> minutes later, basically at the same time. Red Hat SRT is globally
> situated so anyone from distros@ emailing us for details would have
> gotten a very prompt response.

Ok the “Mark notifies^Winforms Red Hat” line and the “Huzaifa
Sidhpurwala opens a bug” could actually be merged, they were more or
less at the same time.
>  
> 3) At this point the plan was to embargo this until April 9th (I
> forget what time), giving everyone 2+ days to deal with it. So OpenSSL
> in conjunction with Red Hat attempted to do a coordinated response
> with the community.

I'm also unsure why that could not have been done earlier, when OpenSSL was
first notified (by Google, supposedly).
> 
> 4) Things blew up. My understanding is that OpenSSL made this public
> due to additional reports, I suspect it boiled down to "Group A found
> this flaw, reported it, and has a reproducer, and now Group B found
> the same thing independently and also has a reproducer. chances are
> the bad guys do as well so better to let everyone know the barn door
> is open now rather than wait 2 more days" but there may be other
> factors I'm not aware.

Yeah, maybe the report by NCSC-FI to OpenSSL scared them. I don't know
who to contact at OpenSSL and I'm not sure if they read the list.
> 
> 5) Monday morning: everyone is scrambling to get patches out and
> update systems.

Actually, all times are UTC. I don't know about others, but Debian
security team is mostly in western Europe, so it was monday
evening/night.
> 
> 6) At least one vendor (CloudFlare) posts a blog entry stating they
> were notified a week ago by Codenomicon/NCSC-FI , and claiming that it
> was via "responsible disclosure". Other major vendors were not
> informed (e.g. Amazon:
> http://aws.amazon.com/security/security-bulletins/heartbleed-bug-concern/).

I don't think they said they were notified by Codenomicon/NCSC-FI (and
that doesn't fit the timeline).
> 
> 
> 7) At least one vendor (Google) found this independently and, as I
> understand it, patched their own systems (which is completely
> understandable).

Indeed.
> 
> > I don't want to point finger, but I sincerely hope the next time 
> > something like that happens, coordination will be done early in
> > the processus, and relevant vendors will have a chance to prepare
> > themselves
> 
> As you can see above, it was attempted, but Murphy's law took over.

Sure, thank you for starting that coordination as soon as you were made
aware of the vulnerability (and sorry we weren't there monday morning
UTC to help you on that).

I was more ranting about what happened and did not happened “last week”.

Regards,
-- 
Yves-Alexis Perez

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.