Date: Mon, 22 Jul 2019 13:50:09 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead On Mon, Jul 22, 2019 at 12:29:53PM +0100, Stuart Henderson wrote: > On 2019/07/22 11:21, Mikhail Klementev wrote: > > Kindly notice that this is a public mail list. > > The sender is clearly aware of this, see the timeline. Exactly. It's just an unusual disclosure process that involves giving the users a heads-up a few days before public disclosure of the actual vulnerabilities and fixes. So far, this process is practiced by OpenSSL and Exim (any others?) Unfortunately, this keeps confusing people, which is why this time Heiko's message starts with "Note: EMBARGO is still in effect". Judging by Mikhail's reply, this wasn't good enough to avoid confusion, and I don't know what would be - maybe a paragraph of text acknowledging that the disclosure process is unusual? Somehow I didn't notice such confusion in response to OpenSSL's pre-announcements (not here, but on their own announce list), so maybe Exim should try to reuse OpenSSL's wording. Here's an example: https://mta.openssl.org/pipermail/openssl-announce/2019-February/000145.html --- Subject: Forthcoming OpenSSL Releases Date: Tue, 19 Feb 2019 16:10:20 +0000 The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1b and 1.0.2r. There will be no new 1.1.0 release at this time. These releases will be made available on 26th February 2019 between approximately 1300-1700 UTC. OpenSSL 1.0.2r is a security-fix release. The highest severity issue fixed in this release is MODERATE: https://www.openssl.org/policies/secpolicy.html#moderate OpenSSL 1.1.1b is a bug-fix release. Yours The OpenSSL Project Team --- Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.