|From:||Solar Designer <solar-AT-openwall.com>|
|To:||Theo de Raadt <deraadt-AT-cvs.openbsd.org>|
|Subject:||Re: new OpenSSL flaws|
|Date:||Fri, 6 Jun 2014 10:26:48 +0400|
|Cc:||"Martin, Matthew" <phy1729-AT-utdallas.edu>, "grazzolini-AT-gmail.com" <grazzolini-AT-gmail.com>, "misc-AT-openbsd.org" <misc-AT-openbsd.org>, "tech-AT-openbsd.org" <tech-AT-openbsd.org>, Kurt Seifried <kurt-AT-seifried.org>|
Theo, On Thu, Jun 05, 2014 at 04:38:24PM -0600, Theo de Raadt wrote: > Kurt and Solar -- > > You are the primary contacts for the oss-security email list. Kurt is not. I guess the reason why you got such impression was because Kurt invited you to join distros recently, not knowing that you had chosen not to join (not just you personally, but OpenBSD) in the private discussion we had in early 2012. I don't know it for sure, but I guess the reasons why Kurt and not someone else chose to (re-)invite OpenBSD included Kurt's past positive interactions with OpenBSD (e.g., I recall how he was welcome to work in the OpenBSD tent at HAL2001) and that he's an active participant on the distros list. He was just trying to help. I am hosting the oss-security (public), and distros and linux-distros lists (private). So I am administrative contact for these lists. Additionally, this means that if the community starts asking for things I have strong feelings against, or I feel the private lists are causing more harm than they provide benefit (a tough balance, and there's no clear way to measure it), I may stop hosting the lists (this is why they stay "experimental" - perhaps permanently so, although we might adjust/remove the wording if it confuses people). Now to your specific questions: > Are you are aware of any operating system, product suppliers, or > service providers who were notified early by OpenSSL... but are not > found on the private mailing list? I am only aware of what's in the timeline you already saw (the one I posted to oss-security, taken from Mark Cox's Google+ post). Per that timeline, yes, there were notifications beyond distros list members: 2014-06-02 CERT/CC notify their distribution list about the security update but with no details 2014-06-03 "ops-trust" (1015) and selected OpenSSL Foundation contracts (0820) are told a security update will be released on 2014-06-05 but with no details We (Openwall) did receive a notification from CERT/CC (with no detail, as the timeline correctly says). As to whether/why OpenBSD wasn't notified by CERT/CC, I don't know. > I think it would be poor style to ask for specific names, but a > vague statement confirming or denying things would be nice. I don't even know any specific names of additional vendors CERT/CC might have notified, and I don't know who's "ops-trust" and "selected OpenSSL Foundation contracts". So the above is as specific as I have. > There are claims that attendance on your private email list is > required & sufficient for early disclosure from OpenSSL. Per the above, it appears not to be the only way. As to it being sufficient, I don't know what OpenSSL team's intent is - it is up to them who and what lists to disclose to. To me, it does appear likely that they will continue notifying the distros list, but this is not any sort of authoritative answer since I'm not with OpenSSL. > Thanks in advance for any clarity you can supply to this question. I hope the answers above help. Alexander
Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds