Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 18 Aug 2018 07:51:58 +1200
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Rule for releasing fixes for embargoed bugs

[I'm responding to this since I feel that the question has not clearly
been answered and it deserves to be. If the below is wrong I welcome the
education and this would be why it needs clarfying. ]


On 17/08/18 23:45, Dominique Martinet wrote:>
>  When should vendors publish fixes for bugs that are under embargo ?
> 
...
> 
> I'm asking because this happened today and some vendor released a kernel
> with patches for ...

As I understand the process this "released" is the point where the
embargo ceases.

If the agreed embargo time was not already over the vendor is
responsible for having "broken" the embargo. So this release should not
have happened prior to the agreed embargo time.

Broken or not it is over now.


CVE-2018-3690 (yet another speculation/side-channel
> vulnerability), but their fix for it broke another component in the
> kernel (RDMA networking) and people trying to fix that bug are now
> wasting their's and everyone's/my time saying they cannot make the RDMA
> issue public because it has been caused by a security fix still under
> embargo.

As the embargo was ended as per above, these types of thing are not blocked.

Secondary patches are only affected if found while waiting to release
the embargoed changes. In which case there is either nothing released to
clients needing it, or it is an independent bug that should be able to
publish a fix without reference to the embargoed issue.

AYJ



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.