lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4F721289.9090207@vsecurity.com>
Date: Tue, 27 Mar 2012 12:18:33 -0700
From: VSR Advisories <advisories@...curity.com>
To: Solar Designer <solar@...nwall.com>
Cc: oss-security@...ts.openwall.com, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: Re: CVE-2012-0037: libraptor - XXE in RDF/XML
 File Interpretation (Multiple office products affected)

Hi Alexander,

As a researcher, I find the distros list a useful resource to enable quick and
simultaneous notification of many open source OS distributions.


> When it became apparent that this was to be violated since one or two of 
> the affected upstreams wanted much more time, the reporter (Timothy D. 
> Morgan of VSR Security) explained that at the time of his initial 
> notification he had thought that 14 days would in fact be enough.  While 
> this sounds like a rather fundamental problem with a maximum embargo time 
> policy (it is always possible that something new is discovered during 
> discussion, which may invalidate the initial time estimate of the 
> reporter), I've just added the following verbiage to hopefully reduce the 
> number of such occurrences going forward:
> 
> "If you have not yet notified upstream projects/developers of the affected 
> software, other affected distro vendors, and/or affected Open Source 
> projects, you may want to do so before notifying one of these mailing
> lists in order to ensure that these other parties are OK with the maximum
> embargo period that would apply (and if not, then you may have to delay
> your notification to the mailing list), unless you're confident you'd
> choose to ignore their preference anyway and disclose the issue publicly
> soon as per the policy stated here."

I think this is a good idea.  I likely misunderstood the process you want
researchers to follow when it comes to using the distros list.  While I think
the time to release for this issue was excessive, I should have nailed down a
release date with the upstreams prior to notifying the distros list.


I'll reserve some additional comments for the oss-security list exclusively.

Thanks,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ