Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Dec 2011 23:12:40 +0400
From: Solar Designer <>
Subject: Re: [oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision

On Wed, Dec 28, 2011 at 07:07:30PM +0100, Andrea Barisani wrote:
> 2011-11-01: contacted affected distributions
> 2011-12-28: advisory release

The linux-distros list was made use of.  (I assume oCERT also contacted
non-Linux distributions separately.)

This was the first major exception to linux-distros' list policy to
limit embargoes to 14 days at most (after initial posting to the list).

I did not object this time because the underlying issue was publicly
known and the impact was limited to DoS.  Well, and I was not given an
opportunity to object other than by asking for the CRD to be moved to an
earlier date, which would likely not work for others.  (I am not

Yet I feel that I need to post in here and state that this does not set
a precedent, that the "14 days" policy is in effect, and that occasional
exceptions, if any, need to be agreed upon in advance (unlike it
happened this time).  That is, if someone wants to report an issue via
the linux-distros or distros lists and propose a longer embargo period,
they need to state so first, without disclosing much detail about the
issue to the list.  I think it may be OK (although this might vary on a
case by case basis) to disclose the minimum required for list members to
agree to a longer embargo period as a rare exception (like it would
probably happen for these hash collision issues), object to it (have the
list notified with detailed info closer to the proposed CRD), or/and opt
to request the detail individually (not via the list).

I think this is a rare exception to oCERT's policy, too.  It says:

"- under extremely exceptional circumstances, if the oCERT Team and all
the parties involved feel the need for longer time, a 2 months embargo
can be applied, in this case we would clearly document the decision for
public review"

Andrea - you could want to "clearly document the decision for public
review" now, although I guess your rationale was similar to mine (when I
decided not to object to the unusually long embargo period this time).

Thank you for your work on this issue!  I imagine it was pretty
time-consuming with so many affected projects.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.