oss-sec mailing list archives
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Florian Weimer <fw () deneb enyo de>
Date: Sat, 30 Mar 2024 13:09:08 +0100
* Anthony Liguori:
I think we should have a policy that if issues are suspected to be actively exploited, that the issue goes public immediately. If even there is no patch or mitigation, there's not a lot of benefit to keeping it private.
I think we are heading in this direction anyway, given that more and more people are under reporting obligations for active exploitation. Untangling who has to be notified when isn't really a good use of our time. I expect we'll have to tell reporters that if they tell us that a vulnerabilty is under active exploitation, we'll have to go public more or less immediately.
Current thread:
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pierre-Elliott Bécue (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mats Wichmann (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jan Engelhardt (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pat Gunn (Mar 30)
- SV: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Markus Klyver (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mike O'Connor (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Florian Weimer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Salvatore Bonaccorso (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)