oss-sec mailing list archives
Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead
From: Eric Blake <eblake () redhat com>
Date: Mon, 22 Jul 2019 08:28:33 -0500
On 7/22/19 6:21 AM, Mikhail Klementev wrote:
Kindly notice that this is a public mail list. On Mon, Jul 22, 2019 at 12:00:13PM +0200, Heiko Schlittermann wrote:*** Note: EMBARGO is still in effect until July 25th, 10:00 UTC. *** *** Distros must not publish any detail nor release updates yet. ***
Perhaps part of the confusion stems from:
t0: Thu Jul 18 2019 - this notice to distros () vs openwall org and exim-maintainers () exim org - open limited access to our security Git repo. See below.
This statement makes it sound like the fix can be downloaded by anyone that knows about the git repo containing the fix...
t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW] - heads-up notice to oss-security () lists openwall com, exim-users () exim org, and exim-announce () exim org t0+~7d: Thu Jul 25 10:00:00 UTC 2019 - Coordinated relase date - publish the patches in our official and public Git repositories and the packages on our FTP server. Downloads available starting at CRD ==================================== For release tarballs (exim-4.92.1): http://ftp.exim.org/pub/exim/exim4/ The package files are signed with my GPG key. For the full Git repo:
...and when we see below, it looks like you are giving away that repo. But in reality,
https://git.exim.org/exim.git https://github.com/Exim/exim [mirror of the above] - tag exim-4.92.1 - branch exim-4.92.1+fixes
you only published the public repo, which does not yet contain either the tag exim-4.92.1 nor the branch exim-4.92.1+fixes until CRD (as promised in the headline). Perhaps the wording could be improved to explicitly mention that the private repo mentioned earlier is specifically redacted from this more public pre-release announcement, and/or repeating the fact that the public repo will not contain the fix until CRD (some readers will miss details that are presented only in a headline but not reiterated in the body, on the grounds that headlines typically only summarize contents rather than add details, such that you can read slightly faster by skipping headlines if you are going to read the full version instead).
The tagged commit is the officially released version. The tag is signed with my GPG key. The +fixes branch isn't officially maintained, but contains useful patches *and* the security fix. The relevant commit is signed with my GPG key. The old exim-4.92+fixes branch is being functionally replaced by the new exim-4.92.1+fixes branch.
Or even the choice of tense in this paragraph may help: it sounds like past tense ("is the officially released version") even though at the time of the email it is a future tense ("will become the officially released version"). -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead, (continued)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Mikhail Klementev (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Solar Designer (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Amos Jeffries (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Ian Zimmerman (Jul 22)
- Security release pre-announcement messages Douglas Bagnall (Jul 24)
- Re: Security release pre-announcement messages Stiepan (Jul 26)
- Re: Security release pre-announcement messages Greg KH (Jul 26)
- Re: Security release pre-announcement messages Greg KH (Jul 26)
- Re: Security release pre-announcement messages Stiepan (Jul 26)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Heiko Schlittermann (Jul 22)