Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jul 2019 13:50:09 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead

On Mon, Jul 22, 2019 at 12:29:53PM +0100, Stuart Henderson wrote:
> On 2019/07/22 11:21, Mikhail Klementev wrote:
> > Kindly notice that this is a public mail list.
> 
> The sender is clearly aware of this, see the timeline.

Exactly.  It's just an unusual disclosure process that involves giving
the users a heads-up a few days before public disclosure of the actual
vulnerabilities and fixes.  So far, this process is practiced by OpenSSL
and Exim (any others?)

Unfortunately, this keeps confusing people, which is why this time
Heiko's message starts with "Note: EMBARGO is still in effect".  Judging
by Mikhail's reply, this wasn't good enough to avoid confusion, and I
don't know what would be - maybe a paragraph of text acknowledging that
the disclosure process is unusual?  Somehow I didn't notice such
confusion in response to OpenSSL's pre-announcements (not here, but on
their own announce list), so maybe Exim should try to reuse OpenSSL's
wording.  Here's an example:

https://mta.openssl.org/pipermail/openssl-announce/2019-February/000145.html

---
Subject: Forthcoming OpenSSL Releases
Date: Tue, 19 Feb 2019 16:10:20 +0000

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1b and 1.0.2r. There will be no new 1.1.0 release at
this time.

These releases will be made available on 26th February 2019 between
approximately 1300-1700 UTC.

OpenSSL 1.0.2r is a security-fix release. The highest severity issue fixed in
this release is MODERATE:
https://www.openssl.org/policies/secpolicy.html#moderate

OpenSSL 1.1.1b is a bug-fix release.

Yours

The OpenSSL Project Team
---

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.