oss-sec mailing list archives
Re: Why send bugs embargoed to distros?
From: Simon McVittie <smcv () debian org>
Date: Sat, 23 Sep 2017 14:57:27 +0100
On Sat, 23 Sep 2017 at 13:44:18 +0200, Hanno Böck wrote:
Debian+Ubuntu took more than a day after disclosure to fix. According to the Debian bug tracker the bug got only opened after the public disclosure[2].
The Debian bug tracker (bugs.debian.org) is always public and has no mechanism for embargoing individual bugs, so it is never used before public disclosure. It's entirely possible that your conclusion is correct in this case (I don't have any more information than you do on whether the Debian security team or package maintainer made use of the embargo period for this vulnerability), but the late opening of a bug is not evidence that no work was done before public disclosure. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777545 is an example of a vulnerability for which the package maintainer (me) was definitely aware before the bug was filed. S
Current thread:
- Why send bugs embargoed to distros? Hanno Böck (Sep 23)
- Re: Why send bugs embargoed to distros? Levente Polyak (Sep 23)
- Re: Why send bugs embargoed to distros? Anthony Liguori (Sep 23)
- Re: Why send bugs embargoed to distros? Simon McVittie (Sep 23)
- Re: Why send bugs embargoed to distros? Marc Deslauriers (Sep 23)
- Re: Why send bugs embargoed to distros? Kurt H Maier (Sep 23)
- Re: Why send bugs embargoed to distros? Till Dörges (Sep 23)
- Re: Why send bugs embargoed to distros? Marcus Meissner (Sep 23)
- Re: Why send bugs embargoed to distros? Ludovic Courtès (Sep 24)
- Re: Why send bugs embargoed to distros? Igor Seletskiy (Sep 24)
- Re: Why send bugs embargoed to distros? John Haxby (Sep 25)
- Re: Why send bugs embargoed to distros? Cliff Perry (Sep 25)
- Re: Why send bugs embargoed to distros? Leo Famulari (Sep 25)
- Re: Why send bugs embargoed to distros? Levente Polyak (Sep 23)