Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160

[Jussi Eronen <juhani.eronen () ficora fi>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

These issues have been discussed in depth on many fora by now, but
replying just for the record:

On 04/08/2014 11:03 PM, Kurt Seifried wrote:
> So to respond/clear up some points:
>
> It appears Codenomicon and Google found the vulnerability 
> independently. Google reported it to OpenSSL. Codenomicon reported
> it to NCSC-FI, I'm not sure who (Codenomicon or NCSC-FI) drove the 
> notification of CloudFlare/etc. and they also reported it to
> OpenSSL (I don't know if that was before or after notifying
> OpenSSL).

Codenomicon did find the bug independently. Codenomicon did not notify
anyone else than us. We did not notify anyone else but OpenSSL. We did
request a CVE for "a critical issue in OpenSSL" from CERT/CC but did
not provide them any details at that time.

On 04/08/2014 11:28 PM, Yves-Alexis Perez wrote:
> Well, as I put in my tentative timeline, and according to Jussi
> Eronen (from NCSC-FI, afaict) mail in that thread, NCSC-FI only
> reported to OpenSSL “a couple of hours before the advisory”, so my
> understand is that NCSC-FI was not aware of the vulnerability last
> week.  Maybe Codenomicon was, though. Jussi, could you confirm
> that?

We received the vulnerability report from Codenomicon on Thursday the
3rd of April, at around 14.30 EEST. AFAIK Codenomicon had found the
vulnerability at around 09.30 EEST on the same day, while developing
new features to their test tools. We spent a few hours reproducing the
issue, followed by a couple of days of work on the technical report
and other preparatory material for the coordination effort, impact
assessment, etc.

- -Jussi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJTWkMxAAoJELribKLoD5cxVmMP+QGoCowD1dL395mYmfzotskh
skri70rIVjUKMBvDk/zPzwzseeUg5JXSfU9wi5xxJIAQw5W96ZM3g1QFXigzdkhv
Rc1OJ3nEQV90t4xwR1W9VMA/KNGAGJ8K+xOIApyjFJhxoMlt2B+LTv6TGQIXghzK
l3Vgmd6BYVOML8GJjU/muLGcXLifYRAMcGO7kQ2TbySA3t2cy6boGXAi/D7hY+xJ
ep4cAAz5/J5fHLInDd6X3/sBnlSqkEFtCt38FEusOXjqP7AZI0LyWsxt7RNndCqM
KN1DkGSgnaVUON8WfYa5Gueh9p5/09doI81GWVfoKXsbARxqzp47iQ0zawvsyI1X
i51X+WJxV9JRryJx+mh6jHlZ+s3JKwVNufOcbE+S1DpzJPHU5OsPHzAsbkYcBJzb
om/CNx1HEfeK1kR8uPMdHVV5fwqpptMF23zzVBmsUQcvrvFhsOtL8FeSxK2n8DyD
9SXn3yvg/4TyqOzvTaE87qB8CuZp2lEC1WrWoCqC5U4oSei9k783wMePEyeFhaOt
l4o8BX6AME3ku3cygdNvqdcMR9xZbqvru3X/U22fuZrAihBpicO5lJx1me94VQpn
DPFyJOcP/3pswOzRycrHrg09fttKjq2DrGcoo+LaE+CH2cMjshAtQNo1Y6gOkITw
hEzLxYuiTAnyVzzeU1Jx
=y4kT
-----END PGP SIGNATURE-----