Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing

[Gordon Tetlow <gordon () tetlows org>]

On Sat, Mar 27, 2021 at 11:05 AM Solar Designer <solar () openwall com> wrote:
> One other detail I feel I have to bring up in here, and expect a
> response to, is Wind River's apparent leak of the vulnerability detail
> two days prior to scheduled public disclosure.  This was brought up on
> the distros list back then, and I was also asked about it on Twitter
> when the vulnerabilities were finally made public appropriately on the
> scheduled date.
>
> Since the vulnerability detail wasn't on the distros list, it's not
> exactly a case of a list member leaking from there, but it's closely
> related.  And regardless of where this happened, it's a concern, which
> we probably should discuss on oss-security.
>
> So I'd appreciate an explanation/statement from Wind River on what
> happened and what measures, if any, are being taken to prevent this from
> happening again.  I'd also appreciate a comment from OpenSSL.
>
> The leak was on a web page archived here:
>
> https://web.archive.org/web/20210324105700/https://support2.windriver.com/index.php?page=security-notices&on=view&id=7055

While I am neither Wind River nor OpenSSL, I did notice on the linked
page that the upper right hand corner says:
Released: Apr 22, 2020     Updated: Mar 22, 2021

Without knowing much else, it feels like someone accidentally put a
"released" date as last year and the content management system went
ahead and made the article public. Hard to say without confirmation,
but I could definitely see that being the chain of events.

Gordon