oss-sec mailing list archives
Re: Security release pre-announcement messages
From: Stiepan <stie () protonmail ch>
Date: Thu, 25 Jul 2019 21:35:45 +0000
I would like to congratulate the teams that do that. If public disclosure is deemed too dangerous before a patch is available, this looks like The reasonable tradeoff. Wish it was the same with Linux... Rationale: people could switch meanwhile to a known safe kernel. That would provide peace of mind to the "rest of us" who don't have the keys to the linux-distros kingdom of the elected few, yet wish to have secure OSes, without a window of vulnerability open to whoever hacked into the elected few's machines (or are entitled another way to this secret information). It would also make Linux governance way more democratic, which seems to be a must for such a "too big to fail" core open-source software. Cheers, Stiepan Envoyé depuis ProtonMail mobile -------- Message d'origine -------- On 23 juil. 2019 à 23:55, Douglas Bagnall a écrit :
On 22/07/19 11:50 PM, Solar Designer wrote:Exactly. It's just an unusual disclosure process that involves giving the users a heads-up a few days before public disclosure of the actual vulnerabilities and fixes. So far, this process is practiced by OpenSSL and Exim (any others?)On the Samba team we use wording like this: https://lists.samba.org/archive/samba/2019-June/223621.html ---------------------------- Subject: Heads-up: Security Releases ahead! Hi, This is a heads-up that there will be Samba security updates on Wednesday, June 19 2019. Please make sure that your Samba servers will be updated soon after the release! Impacted components: - AD DC (CVSS 6.5, Medium) ----------------------------- We now do this systematically, after a haphazard start. To help ourselves stay on track, we are trying to formalise our process into something approaching a checklist: https://wiki.samba.org/index.php/Samba_Security_Process and we are happy to hear suggestions for improvement. cheers, Douglas
Attachment:
publickey - stie@protonmail.ch - 0xADF18750.asc
Description:
Current thread:
- CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Heiko Schlittermann (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Mikhail Klementev (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Stuart Henderson (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Mikhail Klementev (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Solar Designer (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Amos Jeffries (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Ian Zimmerman (Jul 22)
- Security release pre-announcement messages Douglas Bagnall (Jul 24)
- Re: Security release pre-announcement messages Stiepan (Jul 26)
- Re: Security release pre-announcement messages Greg KH (Jul 26)
- Re: Security release pre-announcement messages Greg KH (Jul 26)
- Re: Security release pre-announcement messages Stiepan (Jul 26)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Stuart Henderson (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Mikhail Klementev (Jul 22)
- Re: CVE-2019-13917 OVE-20190718-0006: Exim: security release ahead Heiko Schlittermann (Jul 22)