Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 22 Mar 2015 12:44:37 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: membership request to the closed linux-distros security mailing list

* Stuart Henderson:

> On 2015/03/20 08:16, Anthony Liguori wrote:
>> 
>> I think the alternative is to formalize what already appears to be the
>> existing practice: disclose distros@ on the existence of a
>> vulnerability but require direct contact for the details of the
>> vulnerability if the submitter/upstream thinks the impact is high.
>
> Are private lists even needed if this policy is taken?

Yes, it is.  Often, things are bad enough that just looking at the
software for five minutes is sufficient to rediscover the
vulnerability.  Or maybe a couple of different vulnerabilities with
similar impact.

There's also interaction with CVE assignment.  The current, working
assignment process requires short embargoes at least.  And a certain
subset of reporters cares about the CVE assignment above anything else
because it's a widely-accepted metric for having found something,
which in turn indicates that the reporters have done their job.  I
think we can and should reduce the number of embargoes, but we'd have
to address the CVE assignment process for public issues at the same
time.

Reducing the number of embargoes would also help those
quasi-proprietary vendors and show them that building upstream
relationships and tracking their software portfolio are the key tasks,
and not getting a few days advance notice for vulnerabilities.  Most
GNU/Linux distributions can fix about anything that's fixable at all
within two or three weeks (and that includes the analysis required to
actually understand the bug).  Most quasi-proprietary vendors work on
totally different time scales, and even if they do not have to do the
analysis themselves, a few weeks is nothing to them.

But here's another perspective.  Lior Kaplan writes, “Even if the
issue isn't severe, upstream should get a fair chance to fix issue
before making them public.”

<https://liorkaplan.wordpress.com/2015/03/19/cve-assignment-without-upstream-knowledge/>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.