oss-sec mailing list archives
Re: Rule for releasing fixes for embargoed bugs
From: Amos Jeffries <squid3 () treenet co nz>
Date: Sat, 18 Aug 2018 07:51:58 +1200
[I'm responding to this since I feel that the question has not clearly been answered and it deserves to be. If the below is wrong I welcome the education and this would be why it needs clarfying. ] On 17/08/18 23:45, Dominique Martinet wrote:>
When should vendors publish fixes for bugs that are under embargo ?
...
I'm asking because this happened today and some vendor released a kernel with patches for ...
As I understand the process this "released" is the point where the embargo ceases. If the agreed embargo time was not already over the vendor is responsible for having "broken" the embargo. So this release should not have happened prior to the agreed embargo time. Broken or not it is over now. CVE-2018-3690 (yet another speculation/side-channel
vulnerability), but their fix for it broke another component in the kernel (RDMA networking) and people trying to fix that bug are now wasting their's and everyone's/my time saying they cannot make the RDMA issue public because it has been caused by a security fix still under embargo.
As the embargo was ended as per above, these types of thing are not blocked. Secondary patches are only affected if found while waiting to release the embargoed changes. In which case there is either nothing released to clients needing it, or it is an independent bug that should be able to publish a fix without reference to the embargoed issue. AYJ
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Rule for releasing fixes for embargoed bugs Dominique Martinet (Aug 17)
- Re: Rule for releasing fixes for embargoed bugs Marcus Meissner (Aug 17)
- Re: Rule for releasing fixes for embargoed bugs Dominique Martinet (Aug 17)
- Re: Rule for releasing fixes for embargoed bugs Amos Jeffries (Aug 17)
- Re: Rule for releasing fixes for embargoed bugs Marcus Meissner (Aug 17)