oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160

From: Solar Designer <solar () openwall com>
Date: Wed, 9 Apr 2014 09:28:40 +0400
On Tue, Apr 08, 2014 at 10:28:24PM +0200, Yves-Alexis Perez wrote:

Well, as I put in my tentative timeline, and according to Jussi Eronen
(from NCSC-FI, afaict) mail in that thread, NCSC-FI only reported to
OpenSSL ???a couple of hours before the advisory???, so my understand is
that NCSC-FI was not aware of the vulnerability last week.  Maybe
Codenomicon was, though. Jussi, could you confirm that?


Codenomicon definitely was:

Domain Name: HEARTBLEED.COM
Creation Date: 2014-04-05 15:13:33
Registrant Name: Marko Laakso
Registrant Organization: Codenomicon Oy

Jarkko Lamsa (@lampska), "Fuzzing and threat intel @codenomicon, martial
arts", made some comments on Twitter:

<@lampska> @cynicalsecurity It was independent co-discovery. Plan was for responsible disclosure but it leaked (dunno 
where) forcing openssl go public

<_snagg> Wait, CloudFare fixed the OpenSSL bug 1week ago?somebody is getting the hang of this 'responsible disclosure' 
thing http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities
<@lampska> @_snagg Independent co-discovery. Plan was a responsible disclosure, but it went public too soon 
http://www.heartbeat.com
<@ysaw> @lampska @_snagg why did some get notified last week, but other didn't get notified until it went public?
<@lampska> @ysaw @_snagg I do not have visibility to what happened there. I do know we had just started conversations 
with CERTs when this went public

Alexander
Previous By Date Next
Previous By Thread Next

Current thread: