Date: Mon, 25 Sep 2017 14:52:13 +0100 From: Cliff Perry <cperry@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Why send bugs embargoed to distros? On 23/09/17 12:44, Hanno Böck wrote: > Hi, > > A few days have passed since the optionsbleed disclosure. Some > interesting things have surfaced, e.g. the fact that it was apparently > discovered already in 2014, but nobody noticed it was a security bug. > > > But I'd like to discuss something else: > I had informed the distros mailing list one week earlier about the > upcoming disclosure with a bug description and links to the already > available patch. > My understanding is that the purpose of the distros list is that > updates can be prepared so after a disclosure the time between "vuln is > known" and "patch is available" is short. > However from all I can see this largely didn't happen. > > Debian+Ubuntu took more than a day after disclosure to fix. According > to the Debian bug tracker the bug got only opened after the public > disclosure. I see no sign that any work on a fix began before the > disclosure. > > If I can trust Red Hat's CVE tracker  there still are no fixed > packages available. Also I haven't found any info about updated > opensuse packages. > > The only distro I'm aware of that prepared packages and pushed them > right after disclosure is Gentoo. > > All of this makes me wonder if the distros list serves its purpose. > > I'd be curious to hear: > > a) if any people felt that pre-disclosure of optionsbleed was helpful > to them and in which way (after all - even if it only helps minor > distros and major distros ignore it it may still be a good thing). > > b) if people think that they'd usually prepare a fixed package, however > they didn't consider optionsbleed important enough. (Naturally I > probably have a bias seeing my findings as more important as other > people, but I could live with that.) > > c) other things? > > > >  https://arxiv.org/pdf/1405.2330.pdf > https://blog.fuzzing-project.org/61-How-Optionsbleed-wasnt-found-in-2014.html >  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876109 >  https://access.redhat.com/security/cve/cve-2017-9798 > Hi Hanno, The detail of your report was good quality and I'm sure appreciated by everyone who needed to review it. I know that for Red Hat the pre-disclosure was useful. During analysis, like SUSE, we rated it as having a security impact of Moderate (https://access.redhat.com/security/updates/classification); and not highly impacting that required expedited preparation of packages for the embargo date. Additional information is contained within the bugzilla linked off our CVE page (https://bugzilla.redhat.com/show_bug.cgi?id=1490344). We look forward to working with you again in the future. Regards, Cliff -- Senior Engineering Manager Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ