[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170923135727.2uys3wgimmyczgy2@perpetual.pseudorandom.co.uk>
Date: Sat, 23 Sep 2017 14:57:27 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Why send bugs embargoed to distros?
On Sat, 23 Sep 2017 at 13:44:18 +0200, Hanno Böck wrote:
> Debian+Ubuntu took more than a day after disclosure to fix. According
> to the Debian bug tracker the bug got only opened after the public
> disclosure[2].
The Debian bug tracker (bugs.debian.org) is always public and has no
mechanism for embargoing individual bugs, so it is never used before
public disclosure.
It's entirely possible that your conclusion is correct in this case
(I don't have any more information than you do on whether the Debian
security team or package maintainer made use of the embargo period
for this vulnerability), but the late opening of a bug is not evidence
that no work was done before public disclosure.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777545 is an example
of a vulnerability for which the package maintainer (me) was definitely
aware before the bug was filed.
S
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
