Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)

[VSR Advisories <advisories () vsecurity com>]

Hi Alexander,

As a researcher, I find the distros list a useful resource to enable quick and
simultaneous notification of many open source OS distributions.


> When it became apparent that this was to be violated since one or two of 
> the affected upstreams wanted much more time, the reporter (Timothy D. 
> Morgan of VSR Security) explained that at the time of his initial 
> notification he had thought that 14 days would in fact be enough.  While 
> this sounds like a rather fundamental problem with a maximum embargo time 
> policy (it is always possible that something new is discovered during 
> discussion, which may invalidate the initial time estimate of the 
> reporter), I've just added the following verbiage to hopefully reduce the 
> number of such occurrences going forward:
>
> "If you have not yet notified upstream projects/developers of the affected 
> software, other affected distro vendors, and/or affected Open Source 
> projects, you may want to do so before notifying one of these mailing
> lists in order to ensure that these other parties are OK with the maximum
> embargo period that would apply (and if not, then you may have to delay
> your notification to the mailing list), unless you're confident you'd
> choose to ignore their preference anyway and disclose the issue publicly
> soon as per the policy stated here."

I think this is a good idea.  I likely misunderstood the process you want
researchers to follow when it comes to using the distros list.  While I think
the time to release for this issue was excessive, I should have nailed down a
release date with the upstreams prior to notifying the distros list.


I'll reserve some additional comments for the oss-security list exclusively.

Thanks,
tim