Date: Sat, 23 Sep 2017 14:57:27 +0100 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Why send bugs embargoed to distros? On Sat, 23 Sep 2017 at 13:44:18 +0200, Hanno Böck wrote: > Debian+Ubuntu took more than a day after disclosure to fix. According > to the Debian bug tracker the bug got only opened after the public > disclosure. The Debian bug tracker (bugs.debian.org) is always public and has no mechanism for embargoing individual bugs, so it is never used before public disclosure. It's entirely possible that your conclusion is correct in this case (I don't have any more information than you do on whether the Debian security team or package maintainer made use of the embargo period for this vulnerability), but the late opening of a bug is not evidence that no work was done before public disclosure. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777545 is an example of a vulnerability for which the package maintainer (me) was definitely aware before the bug was filed. S
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ