Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110601140708.GA15031@openwall.com>
Date: Wed, 1 Jun 2011 18:07:08 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: openssl timing attack

CERT, Thomas, Josh, all -

On Tue, May 31, 2011 at 03:44:40PM -0400, Josh Bressers wrote:
> ----- Original Message -----
> > looks like this following has not CVE-ID assigned yet:
> > http://www.kb.cert.org/vuls/id/536044
> 
> Please use CVE-2011-1945.

Thanks!

The CERT Vulnerability Note says: "Date Public:	2011-05-17", yet this
was only brought to oss-security on the 31st.  According to the
Vulnerability Note, CERT notified a handful of distros, but definitely
by far not all those shipping OpenSSL (which would be unrealistic) and
not all those CERT had been notifying of similar issues before (which
was realistic).  I am not too concerned about the issue itself and about
the more restricted advance notification, but I am concerned about the
delay between CERT making a Vulnerability Note public and us (as well as
many others) learning of it (via oss-security in this case).  Maybe
there's something to improve in this area.

I went to http://www.us-cert.gov/cas/signup.html to see if there's a
public CERT mailing list I should be on in order to receive new
Vulnerability Notes (that are being made public) with no delay (or at
least with less delay).  Unfortunately, for Vulnerability Notes there
appears to be an Atom feed only, no mailing list (which I'd prefer).
Perhaps set one up?

Also, do we possibly want all Open Source software security issues to be
brought to oss-security, even if they already have CVE IDs assigned?
For example, don't we want all issues discussed on the Linux distros
closed list to eventually be mentioned in here (in addition to the
distro vendor advisories)?  I think we do.  Ditto for stuff handled via
US-CERT and other CERTs.

Once again, I am not too concerned about the specific OpenSSL issue,
which even the OpenSSL team does not find important enough to warrant a
security fix release (according to their vendor statement to CERT),
although I like the research behind it.  I just think that it's an
opportunity for us to learn to avoid such two-week post-disclosure
delays in the future, potentially for more severe issues.

I'd appreciate any comments.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.