Date: Sat, 18 Aug 2018 07:51:58 +1200 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: Rule for releasing fixes for embargoed bugs [I'm responding to this since I feel that the question has not clearly been answered and it deserves to be. If the below is wrong I welcome the education and this would be why it needs clarfying. ] On 17/08/18 23:45, Dominique Martinet wrote:> > When should vendors publish fixes for bugs that are under embargo ? > ... > > I'm asking because this happened today and some vendor released a kernel > with patches for ... As I understand the process this "released" is the point where the embargo ceases. If the agreed embargo time was not already over the vendor is responsible for having "broken" the embargo. So this release should not have happened prior to the agreed embargo time. Broken or not it is over now. CVE-2018-3690 (yet another speculation/side-channel > vulnerability), but their fix for it broke another component in the > kernel (RDMA networking) and people trying to fix that bug are now > wasting their's and everyone's/my time saying they cannot make the RDMA > issue public because it has been caused by a security fix still under > embargo. As the embargo was ended as per above, these types of thing are not blocked. Secondary patches are only affected if found while waiting to release the embargoed changes. In which case there is either nothing released to clients needing it, or it is an independent bug that should be able to publish a fix without reference to the embargoed issue. AYJ Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.