oss-sec mailing list archives
Re: LMS-2014-06-16-1: Oberhumer LZO
From: "Don A. Bailey" <donb () securitymouse com>
Date: Thu, 26 Jun 2014 21:15:05 -0600
Totally understand. Not a problem at all, I thought I should just offer my perspective for this list, as they were not on the Linux kernel thread, nor the distros thread. :-) I'm very happy to hear you agree that negative impact was minimal. D On Thu, Jun 26, 2014 at 9:10 PM, Solar Designer <solar () openwall com> wrote:
Don, On Thu, Jun 26, 2014 at 02:37:47PM -0600, Don A. Bailey wrote:I chose not to release the bug reports to the public within the timeframe suggested by Solar for several reasons: 1) I have deep visibility into the vulnerable code and understand the constraints of exploitation and the breadth 2) The public exposure was non-obvious, and was not advertised by the vendor 3) The most widely effected vendors (Linux and Oberhumer) had yet to release a patch publicly 4) The time between exposure and public release was short enough to negative exposureThank you for providing this reasoning.My job, as I saw it, was to responsibly coordinate word between all parties. I did that as best as I could given the teams, their time zones, their understanding of the bug, and their speed. All in all, I think it worked out OK, and I am satisfied with the result thus far. There are things that could have gone better, but over all each team worked hard to produce solid patches in a reasonable time frame. We hit that goal.I am also of the opinion that everyone did their best, and that's great. I think actual negative impact of the delay is small or non-existent. However, I felt we must have posted these additional comments on the disclosure process in here, because it deviated from what's normally expected for issues disclosed to the distros list: http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists "When the security issue is finally to be made public, it is your (the original reporter's) responsibility to post about it to oss-security (indeed, you and others may also post to any other mailing lists, etc.)" I am tempted to add "on the same day" after "to oss-security", since this is what we expect (and what usually happens), but there may be occasional exceptions like this, so maybe we leave the wording as-is? Alexander
Current thread:
- LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Yves-Alexis Perez (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO H. Peter Anvin (Jun 27)
- Re: LMS-2014-06-16-1: Oberhumer LZO Yves-Alexis Perez (Jun 28)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)