Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead

[Eric Blake <eblake () redhat com>]

On 7/22/19 6:21 AM, Mikhail Klementev wrote:
> Kindly notice that this is a public mail list.
>
> On Mon, Jul 22, 2019 at 12:00:13PM +0200, Heiko Schlittermann wrote:
> > *** Note: EMBARGO is still in effect until July 25th, 10:00 UTC. ***
> > *** Distros must not publish any detail nor release updates yet. ***

Perhaps part of the confusion stems from:

> > t0: Thu Jul 18 2019
> >     - this notice to distros () vs openwall org and exim-maintainers () exim org
> >     - open limited access to our security Git repo. See below.

This statement makes it sound like the fix can be downloaded by anyone
that knows about the git repo containing the fix...

> > t0+~4d: Mon Jul 22 10:00:00 UTC 2019 [NOW]
> >     - heads-up notice to oss-security () lists openwall com,
> >       exim-users () exim org, and exim-announce () exim org
> >
> > t0+~7d: Thu Jul 25 10:00:00 UTC 2019
> >     - Coordinated relase date
> >     - publish the patches in our official and public Git repositories
> >       and the packages on our FTP server.
> >
> > Downloads available starting at CRD
> > ====================================
> >
> > For release tarballs (exim-4.92.1):
> >
> >     http://ftp.exim.org/pub/exim/exim4/
> >
> > The package files are signed with my GPG key.
> >
> > For the full Git repo:

...and when we see below, it looks like you are giving away that repo.
But in reality,

> >     https://git.exim.org/exim.git
> >     https://github.com/Exim/exim    [mirror of the above]
> >     - tag    exim-4.92.1
> >     - branch exim-4.92.1+fixes

you only published the public repo, which does not yet contain either
the tag exim-4.92.1 nor the branch exim-4.92.1+fixes until CRD (as
promised in the headline).  Perhaps the wording could be improved to
explicitly mention that the private repo mentioned earlier is
specifically redacted from this more public pre-release announcement,
and/or repeating the fact that the public repo will not contain the fix
until CRD (some readers will miss details that are presented only in a
headline but not reiterated in the body, on the grounds that headlines
typically only summarize contents rather than add details, such that you
can read slightly faster by skipping headlines if you are going to read
the full version instead).

> > The tagged commit is the officially released version. The tag is signed
> > with my GPG key.  The +fixes branch isn't officially maintained, but
> > contains useful patches *and* the security fix. The relevant commit is
> > signed with my GPG key. The old exim-4.92+fixes branch is being functionally
> > replaced by the new exim-4.92.1+fixes branch.

Or even the choice of tense in this paragraph may help: it sounds like
past tense ("is the officially released version") even though at the
time of the email it is a future tense ("will become the officially
released version").

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature