Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 18 Aug 2018 07:51:58 +1200
From: Amos Jeffries <>
Subject: Re: Rule for releasing fixes for embargoed bugs

[I'm responding to this since I feel that the question has not clearly
been answered and it deserves to be. If the below is wrong I welcome the
education and this would be why it needs clarfying. ]

On 17/08/18 23:45, Dominique Martinet wrote:>
>  When should vendors publish fixes for bugs that are under embargo ?
> I'm asking because this happened today and some vendor released a kernel
> with patches for ...

As I understand the process this "released" is the point where the
embargo ceases.

If the agreed embargo time was not already over the vendor is
responsible for having "broken" the embargo. So this release should not
have happened prior to the agreed embargo time.

Broken or not it is over now.

CVE-2018-3690 (yet another speculation/side-channel
> vulnerability), but their fix for it broke another component in the
> kernel (RDMA networking) and people trying to fix that bug are now
> wasting their's and everyone's/my time saying they cannot make the RDMA
> issue public because it has been caused by a security fix still under
> embargo.

As the embargo was ended as per above, these types of thing are not blocked.

Secondary patches are only affected if found while waiting to release
the embargoed changes. In which case there is either nothing released to
clients needing it, or it is an independent bug that should be able to
publish a fix without reference to the embargoed issue.


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.