oss-sec mailing list archives
Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
From: Solar Designer <solar () openwall com>
Date: Thu, 29 Mar 2012 16:29:47 +0400
On Tue, Mar 27, 2012 at 12:39:00PM -0700, Timothy D. Morgan wrote:
"If you have not yet notified upstream projects/developers of the affected software, other affected distro vendors, and/or affected Open Source projects, you may want to do so before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply (and if not, then you may have to delay your notification to the mailing list), unless you're confident you'd choose to ignore their preference anyway and disclose the issue publicly soon as per the policy stated here."You may want to re-word this a little to make it utterly clear to those who don't take the time to think about it. Perhaps something like "If expect upstream vendors to require more than 14-19 days to develop a fix, establish a release date with them prior to notifying this list". You could also break it down in to step-by-step bullets. That page has grown much larger now and it is tempting to skim...
Thank you for the suggestion. Unfortunately, adding more clarity and specific examples would make the wiki page even longer and potentially more tempting to skim/skip. For now, I opted to simplify the text quoted above to: "Please notify upstream projects/developers of the affected software, other affected distro vendors, and/or affected Open Source projects before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply (and if not, then you may have to delay your notification to the mailing list), unless you're confident you'd choose to ignore their preference anyway and disclose the issue publicly soon as per the policy stated here." This is slightly shorter and it let me add emphasis (bold face) in some places. Alexander
Current thread:
- Fwd: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected) Solar Designer (Mar 27)
- <Possible follow-ups>
- Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected) Solar Designer (Mar 27)
- Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected) VSR Advisories (Mar 27)
- Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected) Timothy D. Morgan (Mar 27)
- Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected) Solar Designer (Mar 29)