Date: Wed, 9 Apr 2014 09:28:40 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Jussi Eronen <juhani.eronen@...ora.fi> Subject: Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 On Tue, Apr 08, 2014 at 10:28:24PM +0200, Yves-Alexis Perez wrote: > Well, as I put in my tentative timeline, and according to Jussi Eronen > (from NCSC-FI, afaict) mail in that thread, NCSC-FI only reported to > OpenSSL ???a couple of hours before the advisory???, so my understand is > that NCSC-FI was not aware of the vulnerability last week. Maybe > Codenomicon was, though. Jussi, could you confirm that? Codenomicon definitely was: Domain Name: HEARTBLEED.COM Creation Date: 2014-04-05 15:13:33 Registrant Name: Marko Laakso Registrant Organization: Codenomicon Oy Jarkko Lamsa (@...pska), "Fuzzing and threat intel @codenomicon, martial arts", made some comments on Twitter: <@...pska> @cynicalsecurity It was independent co-discovery. Plan was for responsible disclosure but it leaked (dunno where) forcing openssl go public <_snagg> Wait, CloudFare fixed the OpenSSL bug 1week ago?somebody is getting the hang of this 'responsible disclosure' thing http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities <@...pska> @_snagg Independent co-discovery. Plan was a responsible disclosure, but it went public too soon http://www.heartbeat.com <@...w> @lampska @_snagg why did some get notified last week, but other didn't get notified until it went public? <@...pska> @ysaw @_snagg I do not have visibility to what happened there. I do know we had just started conversations with CERTs when this went public Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ