Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Mar 2021 18:35:29 +0000
From: Mark J Cox <mark@...nssl.org>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check
 bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in
 signature_algorithms processing

The usual process for OpenSSL pre-notifications (as per our security policy
at https://www.openssl.org/policies/secpolicy.html ) is to give a heads up
message to the private distros list and ask vendors who want details to
reconfirm they will abide by the embargo guidelines.  For those that do, we
then add to a private github fork where they can view the advisory and
patches and also comment (since the comments and testing from such
packagers are very valuable in making sure we get the right fix the first
time).

However this time we faced a little bit of a time crunch, we want to get
fixes for High issues out as soon as we can, but with the Easter public
holidays looming for several of our team, and some already pre-planned
OpenSSL team holidays, we decided to give less than our usual one-full-week
prenotification.  Usually that process of waiting for responses takes an
extra trip around the sun due to timezones, so I decided to skip it and
added all the same folks who had access to the last issue to this issue,
and the mail to distros@ asked the members to let me know if I needed to
make any add/remove changes to that list.  Those who accessed the link were
reminded of the embargo and guidelines in a few places.

We were alerted to the Wind River security advisory being public by a
vendor after they saw a tweet about it.  The page stated there were two
issues, gave the CVE names for the two issues, and gave the one line
description of each issue.  It also, as you stated, listed the commit
hashes and the URL to the private github advisory and fork.  However those
commits and the URLs were part of the private github branch therefore
protected and only accessible to the specific github ids for the vendors
we'd added.

At that point we were only 24 hours away from the scheduled release date,
and the extra details on the page were not sufficient for us to call the
embargo broken nor to bring forward the release date.  We did however ask
Wind River to remove the page and provide an explanation, which they did.
We continued to monitor to see if the CVE names were being discussed in
case we had to change the plan.  The final publication and hence end of the
embargo happened to the planned schedule.

Mark


> On Sat, Mar 27, 2021 at 6:05 PM Solar Designer <solar@...nwall.com> wrote:
>
...

> So I'd appreciate an explanation/statement from Wind River on what
>> happened and what measures, if any, are being taken to prevent this from
>> happening again.  I'd also appreciate a comment from OpenSSL.
>>
>> The leak was on a web page archived here:
>>
>>
>> https://web.archive.org/web/20210324105700/https://support2.windriver.com/index.php?page=security-notices&on=view&id=7055
>>
>> As I recall, the private GitHub links in there gave me "404 Not Found"
>> soon after the windriver.com link (which was live at the time, not
>> needing archive.org) was sent to the distros list by a concerned fellow
>> distro.  This means that either OpenSSL promptly brought them down or
>> they were only ever accessible under appropriately privileged GitHub
>> accounts.  In the latter case, the existence of that web page with its
>> content might not have been that much of a leak, as in addition to the
>> public pre-notification the web page only contained CVE IDs and one-line
>> vulnerability titles and commit hashes and those GitHub links.  If the
>> actual commits and the links were never publicly accessible, then it
>> wasn't that much of an issue and reasonably didn't require considering
>> the embargo broken.
>>
>> Another concern I have is that I have to write this to ever hear from
>> Wind River.  I'd have expected them to comment on the distros list the
>> moment this was brought up in there - but they kept silent.  Did they
>> even see the message?  (Of course, I could ask privately, but the
>> concerns are already public and we need to discuss this in public.)
>>
>> To summarize, this is probably not a big deal, but let's figure out what
>> happened and what can be done better next time.
>>
>> Thanks,
>>
>> Alexander
>>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.