Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
From: VSR Advisories <advisories () vsecurity com>
Date: Tue, 27 Mar 2012 12:18:33 -0700

Hi Alexander,

As a researcher, I find the distros list a useful resource to enable quick and
simultaneous notification of many open source OS distributions.

When it became apparent that this was to be violated since one or two of 
the affected upstreams wanted much more time, the reporter (Timothy D. 
Morgan of VSR Security) explained that at the time of his initial 
notification he had thought that 14 days would in fact be enough.  While 
this sounds like a rather fundamental problem with a maximum embargo time 
policy (it is always possible that something new is discovered during 
discussion, which may invalidate the initial time estimate of the 
reporter), I've just added the following verbiage to hopefully reduce the 
number of such occurrences going forward:

"If you have not yet notified upstream projects/developers of the affected 
software, other affected distro vendors, and/or affected Open Source 
projects, you may want to do so before notifying one of these mailing
lists in order to ensure that these other parties are OK with the maximum
embargo period that would apply (and if not, then you may have to delay
your notification to the mailing list), unless you're confident you'd
choose to ignore their preference anyway and disclose the issue publicly
soon as per the policy stated here."

I think this is a good idea.  I likely misunderstood the process you want
researchers to follow when it comes to using the distros list.  While I think
the time to release for this issue was excessive, I should have nailed down a
release date with the upstreams prior to notifying the distros list.

I'll reserve some additional comments for the oss-security list exclusively.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]