Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jun 2014 07:10:08 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: LMS-2014-06-16-1: Oberhumer LZO

Don,

On Thu, Jun 26, 2014 at 02:37:47PM -0600, Don A. Bailey wrote:
> I chose not to release the bug reports to the public within the timeframe
> suggested by Solar for several reasons:
>  1) I have deep visibility into the vulnerable code and understand the
> constraints of exploitation and the breadth
>  2) The public exposure was non-obvious, and was not advertised by the
> vendor
>  3) The most widely effected vendors (Linux and Oberhumer) had yet to
> release a patch publicly
>  4) The time between exposure and public release was short enough to
> negative exposure

Thank you for providing this reasoning.

> My job, as I saw it, was to responsibly coordinate word between all
> parties. I did that as best as I could given the teams, their time zones,
> their understanding of the bug, and their speed.
> 
> All in all, I think it worked out OK, and I am satisfied with the result
> thus far. There are things that could have gone better, but over all each
> team worked hard to produce solid patches in a reasonable time frame. We
> hit that goal.

I am also of the opinion that everyone did their best, and that's great.

I think actual negative impact of the delay is small or non-existent.
However, I felt we must have posted these additional comments on the
disclosure process in here, because it deviated from what's normally
expected for issues disclosed to the distros list:

http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists

"When the security issue is finally to be made public, it is your (the
original reporter's) responsibility to post about it to oss-security
(indeed, you and others may also post to any other mailing lists, etc.)"

I am tempted to add "on the same day" after "to oss-security", since
this is what we expect (and what usually happens), but there may be
occasional exceptions like this, so maybe we leave the wording as-is?

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ