Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jun 2014 21:15:05 -0600
From: "Don A. Bailey" <>
Subject: Re: LMS-2014-06-16-1: Oberhumer LZO

Totally understand. Not a problem at all, I thought I should just offer my
perspective for this list, as they were not on the Linux kernel thread, nor
the distros thread. :-)

I'm very happy to hear you agree that negative impact was minimal.


On Thu, Jun 26, 2014 at 9:10 PM, Solar Designer <> wrote:

> Don,
> On Thu, Jun 26, 2014 at 02:37:47PM -0600, Don A. Bailey wrote:
> > I chose not to release the bug reports to the public within the timeframe
> > suggested by Solar for several reasons:
> >  1) I have deep visibility into the vulnerable code and understand the
> > constraints of exploitation and the breadth
> >  2) The public exposure was non-obvious, and was not advertised by the
> > vendor
> >  3) The most widely effected vendors (Linux and Oberhumer) had yet to
> > release a patch publicly
> >  4) The time between exposure and public release was short enough to
> > negative exposure
> Thank you for providing this reasoning.
> > My job, as I saw it, was to responsibly coordinate word between all
> > parties. I did that as best as I could given the teams, their time zones,
> > their understanding of the bug, and their speed.
> >
> > All in all, I think it worked out OK, and I am satisfied with the result
> > thus far. There are things that could have gone better, but over all each
> > team worked hard to produce solid patches in a reasonable time frame. We
> > hit that goal.
> I am also of the opinion that everyone did their best, and that's great.
> I think actual negative impact of the delay is small or non-existent.
> However, I felt we must have posted these additional comments on the
> disclosure process in here, because it deviated from what's normally
> expected for issues disclosed to the distros list:
> "When the security issue is finally to be made public, it is your (the
> original reporter's) responsibility to post about it to oss-security
> (indeed, you and others may also post to any other mailing lists, etc.)"
> I am tempted to add "on the same day" after "to oss-security", since
> this is what we expect (and what usually happens), but there may be
> occasional exceptions like this, so maybe we leave the wording as-is?
> Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ