Date: Tue, 7 Oct 2014 09:51:50 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code On Sun, Oct 05, 2014 at 07:48:24PM +0000, Sona Sarmadi wrote: > Yes you are right, I am one of the distro vendors which is unfortunately not on the closed list so we only found out about this vulnerability when it became public. "Luckily", being on the closed list wouldn't be of much help in this case: at best, you'd learn of "some" bash vulnerability to be disclosed in 2 days, would have actually requested the detail, then would have learned of the initial CVE-2014-6271 bug, and would have prepared bash updates fixing this one bug - all within those 2 days or less. And then you'd need to rush further fixes (hopefully, merging the prefix/suffix patch soon after Florian posted it) just like you could without being on the closed list. Shellshock is actually an example of "selective disclosure" (as Ted Unangst calls it) arguably not working well enough to be worthwhile. In this case, it was because the right ones (as it turned out) of the "many eyeballs" - Tavis and Michal - were not party to the "selective disclosure". Florian was, but I am guessing that without finding more parser bugs convincing Chet and distros to remove exposure of the parser so urgently would have been difficult. Arguably, this suggests that we should expand the distros list membership with security researchers who are capable, willing, and have (paid?) time to review upcoming security patches and the software being patched for possible other flaws closely related to those being patched. Currently, such reviews sometimes happen (to some extent) due to people who are with distros' security teams. On the old vendor-sec, we did have some security researchers who were not with any specific distro, and this was of some help, but it was unclear where to draw the line on who to accept (even more so than with accepting distros), hence I did not continue this practice when setting up the distros list. Would a security researcher on distros list actively request detailed info from Florian based on the vague message that Florian did send to the list? I doubt it. But then, if we did have such an arrangement in place, maybe Florian would have worded the message differently, specifically asking for more eyeballs. There's so much uncertainty here. http://www.tedunangst.com/flak/post/responsible-disclosure I don't know for sure, but I guess Ted intentionally alluded to the negative meaning "selective disclosure" has in financial markets: http://en.wikipedia.org/wiki/Selective_disclosure I don't mind, and the irony is not lost on me (as someone hosting the distros list - a place for such controversial activities). Would immediate full disclosure of Shellshock have helped? I doubt it. Perhaps advance analysis of impact and advance preparation of patches and of some distro updates, even if just for the worst parser bug rather than for removing exposure of the parser, had some positive effect on security of the Internet at large. It got the affected parties (upstream, distros) working together, which likely resulted in quicker response to further discoveries. > A while ago I sent a membership request to the closed vendor list and was denied by you & Kurt :) which was understandable since we were not ready at that time. Oh, I didn't recall. (Kurt couldn't have literally "denied" you membership - he could merely bring up concerns and reasons, and could have voiced an opinion, like anyone else in here.) I found this thread now: http://www.openwall.com/lists/oss-security/2013/07/01/4 > After that we have worked hard to create a security team and build in-house security competence. We have been looking at security tests and tools, define a security incident management processes, create security checklist, we have been tracking all security vulnerabilities. As part of our security process we have insured that our bug tracking system has in-built security so sensitive/embargoed information can be kept confidential. > > For an overview please see our security web page: http://www.enea.com/solutions/Enea-Linux/Security/ and wiki-vendor list: http://oss-security.openwall.org/wiki/vendors. This sounds mostly good. A "bug tracking system" with "in-built security" does not make me confident, although I realize that vendors like Red Hat are using setups that would be described similarly. > When do you think we (Enea) are ready for membership on the closed vendor list? What else do you think we need to do? I think you may be in the gray area now, as opposed to clearly not eligible for distros list membership like you were last year. Unfortunately, there are currently several pending requests that I feel fall in the gray area (some are in here, and some off-list, which I surely would require bringing to oss-security before they may possibly be satisfied), and this bothers me. Arguably, this indicates that we're beyond the (very limited) time period where I could reasonably host a vendor-sec replacement list without it becoming too controversial. So I think that we'll need to discuss several other requests before we approach yours, and I just fail to find time to get into that lately. That said, the first link from: http://oss-security.openwall.org/wiki/vendors#enea currently leads to: http://mail.lists.enea.com/pipermail/security-announce/ and this shows: "The Security-announce Archives No messages have been posted to this list yet, so the archives are currently empty." Why is that? We'd need some way to see that you're actually issuing security updates, and how promptly you do that. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.