Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 23 Sep 2017 14:57:27 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Why send bugs embargoed to distros?

On Sat, 23 Sep 2017 at 13:44:18 +0200, Hanno Böck wrote:
> Debian+Ubuntu took more than a day after disclosure to fix. According
> to the Debian bug tracker the bug got only opened after the public
> disclosure[2].

The Debian bug tracker (bugs.debian.org) is always public and has no
mechanism for embargoing individual bugs, so it is never used before
public disclosure.

It's entirely possible that your conclusion is correct in this case
(I don't have any more information than you do on whether the Debian
security team or package maintainer made use of the embargo period
for this vulnerability), but the late opening of a bug is not evidence
that no work was done before public disclosure.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777545 is an example
of a vulnerability for which the package maintainer (me) was definitely
aware before the bug was filed.

    S

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ