Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20190722115009.GA4117@openwall.com>
Date: Mon, 22 Jul 2019 13:50:09 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead

On Mon, Jul 22, 2019 at 12:29:53PM +0100, Stuart Henderson wrote:
> On 2019/07/22 11:21, Mikhail Klementev wrote:
> > Kindly notice that this is a public mail list.
> 
> The sender is clearly aware of this, see the timeline.

Exactly.  It's just an unusual disclosure process that involves giving
the users a heads-up a few days before public disclosure of the actual
vulnerabilities and fixes.  So far, this process is practiced by OpenSSL
and Exim (any others?)

Unfortunately, this keeps confusing people, which is why this time
Heiko's message starts with "Note: EMBARGO is still in effect".  Judging
by Mikhail's reply, this wasn't good enough to avoid confusion, and I
don't know what would be - maybe a paragraph of text acknowledging that
the disclosure process is unusual?  Somehow I didn't notice such
confusion in response to OpenSSL's pre-announcements (not here, but on
their own announce list), so maybe Exim should try to reuse OpenSSL's
wording.  Here's an example:

https://mta.openssl.org/pipermail/openssl-announce/2019-February/000145.html

---
Subject: Forthcoming OpenSSL Releases
Date: Tue, 19 Feb 2019 16:10:20 +0000

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.1b and 1.0.2r. There will be no new 1.1.0 release at
this time.

These releases will be made available on 26th February 2019 between
approximately 1300-1700 UTC.

OpenSSL 1.0.2r is a security-fix release. The highest severity issue fixed in
this release is MODERATE:
https://www.openssl.org/policies/secpolicy.html#moderate

OpenSSL 1.1.1b is a bug-fix release.

Yours

The OpenSSL Project Team
---

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.