Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Apr 2014 09:28:40 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Jussi Eronen <juhani.eronen@...ora.fi>
Subject: Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160

On Tue, Apr 08, 2014 at 10:28:24PM +0200, Yves-Alexis Perez wrote:
> Well, as I put in my tentative timeline, and according to Jussi Eronen
> (from NCSC-FI, afaict) mail in that thread, NCSC-FI only reported to
> OpenSSL ???a couple of hours before the advisory???, so my understand is
> that NCSC-FI was not aware of the vulnerability last week.  Maybe
> Codenomicon was, though. Jussi, could you confirm that?

Codenomicon definitely was:

Domain Name: HEARTBLEED.COM
Creation Date: 2014-04-05 15:13:33
Registrant Name: Marko Laakso
Registrant Organization: Codenomicon Oy

Jarkko Lamsa (@...pska), "Fuzzing and threat intel @codenomicon, martial
arts", made some comments on Twitter:

<@...pska> @cynicalsecurity It was independent co-discovery. Plan was for responsible disclosure but it leaked (dunno where) forcing openssl go public

<_snagg> Wait, CloudFare fixed the OpenSSL bug 1week ago?somebody is getting the hang of this 'responsible disclosure' thing http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities
<@...pska> @_snagg Independent co-discovery. Plan was a responsible disclosure, but it went public too soon http://www.heartbeat.com
<@...w> @lampska @_snagg why did some get notified last week, but other didn't get notified until it went public?
<@...pska> @ysaw @_snagg I do not have visibility to what happened there. I do know we had just started conversations with CERTs when this went public

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ