oss-sec mailing list archives
Re: Rule for releasing fixes for embargoed bugs
From: Dominique Martinet <asmadeus () codewreck org>
Date: Fri, 17 Aug 2018 15:14:01 +0200
Marcus Meissner wrote on Fri, Aug 17, 2018:
There seems to be some miscommunation here, which should be directly clarified with the security team of the affected distribution(s).
You are correct, I will also send them an email.
Rule of thumb is: when a vendor publishes updates for an issue, the issue is public and can be referenced publically. I do not understand why you would get push back unless there are communication problems. Also FWIW CVE-2018-3690 is an older reference to "Bounds Check Bypass Store", which is now tracked as CVE-2018-3693 and is public.
Thank you for the reference to the new CVE, I only had what was in the package changelog to go with and none of the trackers I know about reference CVE-2018-3690 as a duplicate/old name of CVE-2018-3693, so it was confusing. This is actually pretty reassuring that the rule is then appropriately respected. That being said, if CVE-2018-3693 is public there really is no reason to say what they said in the discussions I have had with the RDMA folks, so I will work to clear that up. Thanks, -- Dominique Martinet
Current thread:
- Rule for releasing fixes for embargoed bugs Dominique Martinet (Aug 17)
- Re: Rule for releasing fixes for embargoed bugs Marcus Meissner (Aug 17)
- Re: Rule for releasing fixes for embargoed bugs Dominique Martinet (Aug 17)
- Re: Rule for releasing fixes for embargoed bugs Amos Jeffries (Aug 17)
- Re: Rule for releasing fixes for embargoed bugs Marcus Meissner (Aug 17)