Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20240329211052.GA2470@openwall.com>
Date: Fri, 29 Mar 2024 22:10:52 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

On Fri, Mar 29, 2024 at 07:55:48PM -0000, Tavis Ormandy wrote:
> Thanks Andres, amazing work!

Certainly, thank you very much Andres!  Many others have helped in
various ways as well, all of this is appreciated.

> I have a minor procedural question for Solar though, shouldn't this
> have been redirected to oss-security immediately from distros? What's
> the rationale for an embargo here?

We don't have a clear policy for such case.  Some distros list members
have indeed suggested making this public ASAP.  We ended up delaying
publication by one day per my suggestion (as a compromise between ASAP
and having no specific CRD), and I think these are some reasons why:

1. Some specific distros were affected (or at least some people thought
so) and it was under (fast-paced) discussion whether we as a group agree
they may go for not-too-revealing reverts or source tarball replacements
before the rationale for those becomes public knowledge.  Several
distros in fact ended up doing those things and preparing advisories.
This meant that when Andres posted to oss-security, users of those
distros already had a clear course of action - just install updates.
For example, Debian issued an advisory almost immediately after the
oss-security posting.  I think that was helpful.  If this were made
public yesterday, there would be more of a panic.

2. We didn't know how the culprit (or group) would react when they
learned of the full extent of the community's awareness.  It could be
better to have fewer systems still "held hostage" by that point, which
availability of distros' revert/update packages may have helped achieve.
(This wasn't discussed, but I had it in mind.  Maybe others had such
thoughts too.)

3. We were aware of concurrent coordination efforts by other groups
(CERT/CC, CISA) and we didn't want to interfere with their plans.

4. More findings were still being made and the wording of Andres'
posting improved per private feedback.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.