oss-security - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Sat, 30 Mar 2024 13:09:08 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: "Liguori, Anthony" <aliguori@...zon.com>
Cc: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Re: backdoor in upstream xz/liblzma leading to
 ssh server compromise

* Anthony Liguori:

> I think we should have a policy that if issues are suspected to be
> actively exploited, that the issue goes public immediately.  If even
> there is no patch or mitigation, there's not a lot of benefit to
> keeping it private.

I think we are heading in this direction anyway, given that more and
more people are under reporting obligations for active exploitation.
Untangling who has to be notified when isn't really a good use of our
time.  I expect we'll have to tell reporters that if they tell us that
a vulnerabilty is under active exploitation, we'll have to go public
more or less immediately.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.