Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170914130443.GA21420@openwall.com>
Date: Thu, 14 Sep 2017 15:04:43 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Denis Ovsienko <denis@...ienko.info>
Subject: Re: tcpdump 4.9.2 is fully available

On Wed, Sep 13, 2017 at 09:59:13PM +0100, Denis Ovsienko wrote:
> As per Alexander's advice, let me comment for the avoidance of doubt that all deliverables for the tcpdump 4.9.2 release are public since today as advised last week. This includes individual commits in the public git repository with reference to particular CVE IDs and credits to the original reporter(s) and the author of each bugfix.

Thank you, Denis.  I was hoping you'd post more like a full advisory,
and include the credits and maybe the disclosure timeline.  I should
have been more specific.

Here's my reconstruction of the timeline:

Unknown date(s) - issues found

Unknown date(s) - issues reported to upstream

September 3 - tcpdump 4.9.2 release prepared, but not supposed to be
made public yet

Unknown date(s) - private disclosure (by upstream?) to some distros (not
via the distros list) with CRD set to September 25 (since a 3 week
embargo was mentioned elsewhere, this could have been on September 4)

September 4 - "The tar.gz turned up in the public release directory on 4
September by an accident"

September 5 - "and was deleted on 5 September"

September 5 - at least Mageia and Fedora update their tcpdump packages,
apparently due to these projects' automated monitoring for new upstream
releases (IIRC, as confirmed by links to automatically-created bug
tracking entries and such)

September 6 - upstream sends private message to some distros about the
leak, moving the CRD to September 13

September 6 - first notification to the distros list by NixOS, who are
not on the list and who thought the information was already known to
list members, saying in part "We don't think that the embargo can be
sustained under these conditions, even for another week."

September 6-8 - several people and distros try and fail to convince
upstream to go public with the full detail ASAP, but nevertheless
receive explicit permission to go ahead with releasing updated packages

September 7 - an Arch Linux developer (who is not on (linux-)distros and
apparently was not aware of the distros list discussion) brings the
issue to oss-security (it's unclear to me how that person knew of the
September 25 initial CRD); I approve that message right away

September 8 - upstream posts a clarification to oss-security, confirming
that distros are right to proceed with releasing updates; the tarball is
placed on the tcpdump.org website

September 13 - full detail is made public (I think this means individual
commits rather than only the tree as a whole)

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.