Date: Sun, 28 Mar 2021 18:35:29 +0000 From: Mark J Cox <mark@...nssl.org> To: oss-security@...ts.openwall.com Subject: Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing The usual process for OpenSSL pre-notifications (as per our security policy at https://www.openssl.org/policies/secpolicy.html ) is to give a heads up message to the private distros list and ask vendors who want details to reconfirm they will abide by the embargo guidelines. For those that do, we then add to a private github fork where they can view the advisory and patches and also comment (since the comments and testing from such packagers are very valuable in making sure we get the right fix the first time). However this time we faced a little bit of a time crunch, we want to get fixes for High issues out as soon as we can, but with the Easter public holidays looming for several of our team, and some already pre-planned OpenSSL team holidays, we decided to give less than our usual one-full-week prenotification. Usually that process of waiting for responses takes an extra trip around the sun due to timezones, so I decided to skip it and added all the same folks who had access to the last issue to this issue, and the mail to distros@ asked the members to let me know if I needed to make any add/remove changes to that list. Those who accessed the link were reminded of the embargo and guidelines in a few places. We were alerted to the Wind River security advisory being public by a vendor after they saw a tweet about it. The page stated there were two issues, gave the CVE names for the two issues, and gave the one line description of each issue. It also, as you stated, listed the commit hashes and the URL to the private github advisory and fork. However those commits and the URLs were part of the private github branch therefore protected and only accessible to the specific github ids for the vendors we'd added. At that point we were only 24 hours away from the scheduled release date, and the extra details on the page were not sufficient for us to call the embargo broken nor to bring forward the release date. We did however ask Wind River to remove the page and provide an explanation, which they did. We continued to monitor to see if the CVE names were being discussed in case we had to change the plan. The final publication and hence end of the embargo happened to the planned schedule. Mark > On Sat, Mar 27, 2021 at 6:05 PM Solar Designer <solar@...nwall.com> wrote: > ... > So I'd appreciate an explanation/statement from Wind River on what >> happened and what measures, if any, are being taken to prevent this from >> happening again. I'd also appreciate a comment from OpenSSL. >> >> The leak was on a web page archived here: >> >> >> https://web.archive.org/web/20210324105700/https://support2.windriver.com/index.php?page=security-notices&on=view&id=7055 >> >> As I recall, the private GitHub links in there gave me "404 Not Found" >> soon after the windriver.com link (which was live at the time, not >> needing archive.org) was sent to the distros list by a concerned fellow >> distro. This means that either OpenSSL promptly brought them down or >> they were only ever accessible under appropriately privileged GitHub >> accounts. In the latter case, the existence of that web page with its >> content might not have been that much of a leak, as in addition to the >> public pre-notification the web page only contained CVE IDs and one-line >> vulnerability titles and commit hashes and those GitHub links. If the >> actual commits and the links were never publicly accessible, then it >> wasn't that much of an issue and reasonably didn't require considering >> the embargo broken. >> >> Another concern I have is that I have to write this to ever hear from >> Wind River. I'd have expected them to comment on the distros list the >> moment this was brought up in there - but they kept silent. Did they >> even see the message? (Of course, I could ask privately, but the >> concerns are already public and we need to discuss this in public.) >> >> To summarize, this is probably not a big deal, but let's figure out what >> happened and what can be done better next time. >> >> Thanks, >> >> Alexander >> >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.