Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 21 Mar 2013 06:57:54 +0400
From: Solar Designer <solar@...nwall.com>
To: larry Cashdollar <larry0@...com>
Cc: oss-security@...ts.openwall.com, kseifried@...hat.com
Subject: Re: Ruby CVEs

Larry,

On Wed, Mar 20, 2013 at 09:57:20PM -0400, larry Cashdollar wrote:
> This was my fault, I should have sent the CVE numbers off list. Sorry all.

Why keep information off-list, when it is of interest to some on the
list?  That would be worse.  Reviewing the list archives, I see that the
"Ruby CVEs" thread was started in here by Kurt:

http://www.openwall.com/lists/oss-security/2013/03/19/2

Then you posted three additional messages on the same day:

http://www.openwall.com/lists/oss-security/2013/03/19/7
http://www.openwall.com/lists/oss-security/2013/03/19/8
http://www.openwall.com/lists/oss-security/2013/03/19/9

with each of them in its own thread.  Thus, maybe the only thing you
could have done better on that day (given that you had already requested
CVEs privately 3 days before) was to reply to the thread started by Kurt,
thereby making it more likely that he'd see the messages as being
relevant to his "Ruby CVEs".  I understand that replying to an existing
thread with a forwarded message may be cumbersome; if so, you could have
posted the forwarded messages separately (like you did) and then replied
to the original thread saying that you had just posted a relevant
message (and preferably including a list archive URL for that message).

On March 16, you could have done better by requesting the CVEs via
oss-security rather than in private.  This would also serve to inform
the list subscribers of the security issues earlier.

Kurt could have done better by paying attention to other messages on
this list before assigning CVE IDs.  The traffic in here is not high.

Overall, I think all of you have tried to do the right thing, and I
would not want to have information withheld from this list merely to
avoid duplicate CVE IDs in the future.  CVEs are handy, but the CVE
assignment process should not affect what is posted publicly and when.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.