Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 08 Apr 2014 18:17:57 +0300
From: Jussi Eronen <juhani.eronen@...ora.fi>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure
 CVE-2014-0160

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

On 04/08/2014 01:05 AM, Yves-Alexis Perez wrote:
> On Mon, Apr 07, 2014 at 01:56:27PM -0700, Reed Loden wrote:
>> Was this not coordinated with the distros at all? If not, that
>> seems like major fail on the reporters and NCSC-FI's part. :/
> 
> There was a mail from Red Hat on monday morning (CEST) with no
> detail and a CRD to april 9th. It seems OpenSSL advisory came a
> bit uncoordinated, actually, which (it seems) triggered the release
> of the heartbeat and cloudfare posts, as well as the Red Hat one
> here.

We reported the issue to OpenSSL a couple of hours before the advisory
was published. Our plan was to start notifications to distros and
other vendors after discussing with OpenSSL. Codenomicon did mention
us as the coordinator in the original text of heartbleed.com, but the
current text reflects the situation quite well:

"""
Who coordinates response to this vulnerability?

NCSC-FI took up the task of reaching out to the authors of OpenSSL,
software, operating system and appliance vendors, which were
potentially affected. However, this vulnerability was found and
details released independently by others before this work was
completed. Vendors should be notifying their users and service
providers. Internet service providers should be notifying their end
users where and when potential action is required.
"""

- -Jussi / NCSC-FI (formerly known as CERT-FI)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJTRBMSAAoJELribKLoD5cx9RUP/0P0RSoXel4HvfWxUhGZfnsy
q8yNYzOPMO8fIXxKg5W7CfSr4zy05gZSBIKDdETOtEcDFIDN4+4fZPvxMguF74Qe
EKfUoyaXvK3JbQ/E1aw1CvYxLSPGRw3AcwkeTYtMZLzNqLwN6zBYvVjkr4GvGWG4
30m1CmDWsR0MYrMrO04j6aSc1ykDg33avw+/Fs5TXOkoJCbzbjKgZ/QFU0C9KLU0
VklrToFsupU722bQ11i8RlGXcA+0BNMFBabEVRW8jqym0cYVSsoIr6GrCMLeqOkq
WmnxsSnNkZg4mjwwYLZS+Bl70veSvyBrIcyke2V74wgnDR9j0on/v6mK3p4Cu9bF
3EH+2GI43o0sOsmHl7uMhvL4JbJOAcxsfYLsULoHCWTx0qzYtqquanjOyk72bxWk
lZG0hfYQIonPX505riLGDN0DUHkoEq8JyQU4hFwDrI6Fxk6i783GVA4eqJdXHTM3
qisH4T7elh8xQAqJYT7gIe3oRsZo2Kj4SProuGT3usqJgwl0wEch4JjZyx70Ren9
E3DSPRvZKB7zHqbL0f0UbvpGtcsNrGBhayMcoZXmjCEODsJTwJZ0OFyMae+Z7gxP
+QugddtuM2S898DFrgrFKVtnTLDABe/UQ3z0wzczN4ZHlz6g/9rzHV4NW6BHe1f2
M+QZTIHz+8FfV7mnAHsa
=Ukts
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.