Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Oct 2014 09:51:50 +0400
From: Solar Designer <>
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

On Sun, Oct 05, 2014 at 07:48:24PM +0000, Sona Sarmadi wrote:
> Yes you are right, I am one of the distro vendors which is unfortunately not on the closed list so we only found out about this vulnerability when it became public.

"Luckily", being on the closed list wouldn't be of much help in this
case: at best, you'd learn of "some" bash vulnerability to be disclosed
in 2 days, would have actually requested the detail, then would have
learned of the initial CVE-2014-6271 bug, and would have prepared bash
updates fixing this one bug - all within those 2 days or less.  And then
you'd need to rush further fixes (hopefully, merging the prefix/suffix
patch soon after Florian posted it) just like you could without being on
the closed list.

Shellshock is actually an example of "selective disclosure" (as Ted
Unangst calls it) arguably not working well enough to be worthwhile.
In this case, it was because the right ones (as it turned out) of the
"many eyeballs" - Tavis and Michal - were not party to the "selective
disclosure".  Florian was, but I am guessing that without finding more
parser bugs convincing Chet and distros to remove exposure of the parser
so urgently would have been difficult.  Arguably, this suggests that we
should expand the distros list membership with security researchers who
are capable, willing, and have (paid?) time to review upcoming security
patches and the software being patched for possible other flaws closely
related to those being patched.  Currently, such reviews sometimes
happen (to some extent) due to people who are with distros' security
teams.  On the old vendor-sec, we did have some security researchers who
were not with any specific distro, and this was of some help, but it was
unclear where to draw the line on who to accept (even more so than with
accepting distros), hence I did not continue this practice when setting
up the distros list.  Would a security researcher on distros list
actively request detailed info from Florian based on the vague message
that Florian did send to the list?  I doubt it.  But then, if we did
have such an arrangement in place, maybe Florian would have worded the
message differently, specifically asking for more eyeballs.  There's so
much uncertainty here.

I don't know for sure, but I guess Ted intentionally alluded to the
negative meaning "selective disclosure" has in financial markets:

I don't mind, and the irony is not lost on me (as someone hosting the
distros list - a place for such controversial activities).

Would immediate full disclosure of Shellshock have helped?  I doubt it.
Perhaps advance analysis of impact and advance preparation of patches
and of some distro updates, even if just for the worst parser bug rather
than for removing exposure of the parser, had some positive effect on
security of the Internet at large.  It got the affected parties
(upstream, distros) working together, which likely resulted in quicker
response to further discoveries.

> A while ago I sent a membership request to the closed vendor list and was denied by you & Kurt :) which was understandable since we were not ready at that time.

Oh, I didn't recall.  (Kurt couldn't have literally "denied" you
membership - he could merely bring up concerns and reasons, and could
have voiced an opinion, like anyone else in here.)

I found this thread now:

> After that we have worked hard to create a security team and build in-house security competence. We have been looking at security tests and tools, define a security incident management processes, create security checklist, we have been tracking all security vulnerabilities. As part of our security process we have insured that our bug tracking system has in-built security so sensitive/embargoed information can be kept confidential.
>  For an overview please see our security web page:  and  wiki-vendor list:

This sounds mostly good.  A "bug tracking system" with "in-built
security" does not make me confident, although I realize that vendors
like Red Hat are using setups that would be described similarly.
> When do you think we (Enea) are ready for membership on the closed vendor list? What else do you think we need to do?

I think you may be in the gray area now, as opposed to clearly not
eligible for distros list membership like you were last year.

Unfortunately, there are currently several pending requests that I feel
fall in the gray area (some are in here, and some off-list, which I
surely would require bringing to oss-security before they may possibly
be satisfied), and this bothers me.  Arguably, this indicates that we're
beyond the (very limited) time period where I could reasonably host a
vendor-sec replacement list without it becoming too controversial.  So I
think that we'll need to discuss several other requests before we
approach yours, and I just fail to find time to get into that lately.

That said, the first link from:

currently leads to:

and this shows:

"The Security-announce Archives 

No messages have been posted to this list yet, so the archives are
currently empty."

Why is that?  We'd need some way to see that you're actually issuing
security updates, and how promptly you do that.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.