Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 23 Sep 2017 14:57:27 +0100
From: Simon McVittie <>
Subject: Re: Why send bugs embargoed to distros?

On Sat, 23 Sep 2017 at 13:44:18 +0200, Hanno Böck wrote:
> Debian+Ubuntu took more than a day after disclosure to fix. According
> to the Debian bug tracker the bug got only opened after the public
> disclosure[2].

The Debian bug tracker ( is always public and has no
mechanism for embargoing individual bugs, so it is never used before
public disclosure.

It's entirely possible that your conclusion is correct in this case
(I don't have any more information than you do on whether the Debian
security team or package maintainer made use of the embargo period
for this vulnerability), but the late opening of a bug is not evidence
that no work was done before public disclosure. is an example
of a vulnerability for which the package maintainer (me) was definitely
aware before the bug was filed.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.