Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Sep 2014 02:11:17 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-6271: remote code execution through bash

Florian,

On Wed, Sep 24, 2014 at 09:21:40PM +0200, Florian Weimer wrote:
> * Florian Weimer:
> 
> > Someone has posted large parts of the prenotification as a news
> > article, so in the interest of full disclosure, here is what we wrote
> > to the non-vendors (vendors also received patches):
> 
> Oh dear.  It's now been implied that something leaked before the
> embargo was over, or that more information was disclosed than planned.
> 
> This is not the case, on neither count.  I was just annoyed that parts
> of a private message I wrote ended up on a news site without my prior
> consent.  The disclosure as such wasn't a problem, except for a single
> technical inaccuracy that has since been corrected.  It was an honest
> mistake, apologies were made and accepted.  It did not impact the
> disclosure schedule at all (it happened after the disclosure), nor the
> amount of information being disclosed in any material way (the Red Hat
> blog post contained essentially the same information).  Once I saw
> what happened, I decided to publish the full message here.

This brings up the question: why did someone (merely?) running a news
site receive the exact advance notification message (or a portion of
it), and when did they receive it?  I doubt a person merely running a
news site actually received advance notification in this case (I hope
not!), but I think you need to clarify this aspect.

> So to repeat: The embargo was scheduled for 14:00 UTC today, and my
> initial brief posting was not prompted by a desire to withhold
> information.  I just wanted to limit the amount of possibly
> conflicting technical information, and I had other duties to attend
> to.  (In retrospect, I should probably have included the message from
> the prenotification from the start, which would have avoided any
> confusion.)

Yes, I think including the full message in your first notification to
oss-security would have worked best.

> We'll also want to discuss additional hardening measures (see my
> message about BASH_FUNCDEFS), and we previously agreed to do this
> publicly, after disclosure.  Obviously, the technical details are
> necessarily public once we do that.
> 
> It's often tricky to decide how much information to include in a
> public vulnerability disclosure.  In this particular case, I think we
> had to publish technical details so that those who cannot patch
> immediately can at least try to mitigate this vulnerability using
> filters on devices in front of web servers, or tools like
> mod_security.  And without the technical details, I doubt this
> vulnerability would have received the attention it deserves until
> someone figures things out.  We could easily have obfuscated the patch
> to delay this, but what's the point?

You're right.

Thank you!

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.