Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120329122947.GB26304@openwall.com>
Date: Thu, 29 Mar 2012 16:29:47 +0400
From: Solar Designer <solar@...nwall.com>
To: "Timothy D. Morgan" <tmorgan@...curity.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)

On Tue, Mar 27, 2012 at 12:39:00PM -0700, Timothy D. Morgan wrote:
> > "If you have not yet notified upstream projects/developers of the
> > affected software, other affected distro vendors, and/or affected Open
> > Source projects, you may want to do so before notifying one of these
> > mailing lists in order to ensure that these other parties are OK with
> > the maximum embargo period that would apply (and if not, then you may
> > have to delay your notification to the mailing list), unless you're
> > confident you'd choose to ignore their preference anyway and disclose
> > the issue publicly soon as per the policy stated here."
> 
> You may want to re-word this a little to make it utterly clear to those who
> don't take the time to think about it.  Perhaps something like "If expect
> upstream vendors to require more than 14-19 days to develop a fix, establish a
> release date with them prior to notifying this list".  You could also break it
> down in to step-by-step bullets.  That page has grown much larger now and it is
> tempting to skim...

Thank you for the suggestion.  Unfortunately, adding more clarity and
specific examples would make the wiki page even longer and potentially
more tempting to skim/skip.  For now, I opted to simplify the text
quoted above to:

"Please notify upstream projects/developers of the affected software,
other affected distro vendors, and/or affected Open Source projects
before notifying one of these mailing lists in order to ensure that
these other parties are OK with the maximum embargo period that would
apply (and if not, then you may have to delay your notification to the
mailing list), unless you're confident you'd choose to ignore their
preference anyway and disclose the issue publicly soon as per the policy
stated here."

This is slightly shorter and it let me add emphasis (bold face) in some
places.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.