Date: Thu, 5 Jun 2014 17:54:53 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: OpenSSL seven security fixes On Thu, Jun 05, 2014 at 04:43:25PM +0400, Solar Designer wrote: > The distros list was informed of the upcoming OpenSSL release a few days > in advance, but detail on the vulnerabilities was being provided > separately, on request from each specific distro individually (PGP > encrypted). Overall, I'd say the advance notification to distros was > just right - not too much (only a few days), not too little (just > enough), and without unnecessarily exposing the detail to distros who > wouldn't need it. > > A bit worrying is the statement that the "issue was reported to OpenSSL > on 1st May 2014", though, but I appreciate the OpenSSL team making that > statement (it's in the advisory). Mark Cox, who was providing vulnerability detail to individual distros, has just posted the timeline: https://plus.google.com/+MarkJCox/posts/L8i6PSsKJKs --- Here is the timeline from my (OpenSSL) perspective for the recent CCS Inject MITM vulnerability as well as the other flaws being fixed today. ** SSL/TLS MITM vulnerability (CVE-2014-0224) 2014-04-22 (Date we were told the reporters shared the issue with JPCERT/CC) 2014-05-01 JPCERT/CC make first contact with OpenSSL security 2014-05-02 JPCERT/CC send detailed report and reproducer to OpenSSL security 2014-05-09 CERT/CC make first contact with OpenSSL security and send an updated report 2014-05-09 OpenSSL verify the issue and assign CVE-2014-0224 2014-05-12 JPCERT/CC contact OpenSSL with updated reproducer 2014-05-13 OpenSSL start communication directly to reporters to share updated patch and other technical details 2014-05-21 JPCERT/CC notify OpenSSL they have notified "vendors who have implemented OpenSSL in their products" under their framework agreement 2014-05-21 CERT/CC request permission to prenotify vendors of the issue 2014-05-21 OpenSSL work with two major infrastructure providers to test the fix and ensure the fix is sufficient 2014-06-02 CERT/CC notify their distribution list about the security update but with no details 2014-06-02 "OS distros" private vendor list is given headsup and ability to request the patches and draft advisory (0710). Told Red Hat (0710) Debian (0750) FreeBSD (0850), AltLinux (1050), Gentoo (1150), Canonical (1150), IBM (1700), Oracle (1700), SUSE (2014-06-03:0820), Amazon AMI (2014-06-03:1330), NetBSD/pkgsrc (2014-06-04:0710), Openwall (2014-06-04:0710) 2014-06-02 Red Hat find issue with patch (1400), updated patch sent to vendors 2014-06-02 Canonical find regression with patch (1700), Stephen produces updated patch, sent to vendors (1820) 2014-06-03 "ops-trust" (1015) and selected OpenSSL Foundation contracts (0820) are told a security update will be released on 2014-06-05 but with no details 2014-06-05 Security updates and advisory is released ** DTLS recursion flaw (CVE-2014-0221) 2014-05-09 Reporter contacts OpenSSL security 2014-05-09 OpenSSL contacts reporter with possible patch for verification 2014-05-16 Reporter confirmes patch 2014-05-18 OpenSSL tells reporter CVE name 2014-06-02 "OS distros" notification as above 2014-06-03 OpenSSL lets reporter know the release date 2014-06-05 Security updates and advisory is released ** DTLS invalid fragment vulnerability (CVE-2014-0195) 2014-04-23 HP ZDI contact OpenSSL security and pass on security report 2014-05-29 OpenSSL let ZDI know the release date 2014-06-02 "OS distros" notification as above 2014-06-05 Security updates and advisory is released ** Anonymous ECDH denial of service (CVE-2014-3470) 2014-05-28 Felix Grbert and Ivan Fratri at Google report to OpenSSL 2014-05-29 OpenSSL tell reporters CVE name and release date 2014-06-02 "OS distros" notification as above 2014-06-05 Security updates and advisory is released (All times UTC) --- On Twitter, Mark (@iamamoose) pointed out that "by telling OS vendors in advance we actually caught two problems with the patches!", I guess referring to these two timeline entries: 2014-06-02 Red Hat find issue with patch (1400), updated patch sent to vendors 2014-06-02 Canonical find regression with patch (1700), Stephen produces updated patch, sent to vendors (1820) Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.