Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: OpenSSL seven security fixes
From: Solar Designer <solar () openwall com>
Date: Thu, 5 Jun 2014 17:54:53 +0400

On Thu, Jun 05, 2014 at 04:43:25PM +0400, Solar Designer wrote:
The distros list was informed of the upcoming OpenSSL release a few days
in advance, but detail on the vulnerabilities was being provided
separately, on request from each specific distro individually (PGP
encrypted).  Overall, I'd say the advance notification to distros was
just right - not too much (only a few days), not too little (just
enough), and without unnecessarily exposing the detail to distros who
wouldn't need it.

A bit worrying is the statement that the "issue was reported to OpenSSL
on 1st May 2014", though, but I appreciate the OpenSSL team making that
statement (it's in the advisory).

Mark Cox, who was providing vulnerability detail to individual distros,
has just posted the timeline:

https://plus.google.com/+MarkJCox/posts/L8i6PSsKJKs

---
Here is the timeline from my (OpenSSL) perspective for the recent CCS
Inject MITM vulnerability as well as the other flaws being fixed today.

** SSL/TLS MITM vulnerability (CVE-2014-0224)

2014-04-22 (Date we were told the reporters shared the issue with
                        JPCERT/CC)
2014-05-01 JPCERT/CC make first contact with OpenSSL security
2014-05-02 JPCERT/CC send detailed report and reproducer to        
                        OpenSSL security
2014-05-09 CERT/CC make first contact with OpenSSL security      
                         and send an updated report
2014-05-09 OpenSSL verify the issue and assign CVE-2014-0224
2014-05-12 JPCERT/CC contact OpenSSL with updated reproducer
2014-05-13 OpenSSL start communication directly to reporters to  
                       share updated patch and other technical details
2014-05-21 JPCERT/CC notify OpenSSL they have notified
                       "vendors who have implemented  OpenSSL in their          
                        products" under their framework agreement
2014-05-21 CERT/CC request permission to prenotify vendors of
                       the issue
2014-05-21 OpenSSL work with two major infrastructure providers
                       to test the fix and  ensure the fix is sufficient
2014-06-02 CERT/CC notify their distribution list about the security
                        update but with no details
2014-06-02 "OS distros" private vendor list is given headsup and
                        ability to request the patches and draft advisory
                        (0710).  Told Red Hat (0710) Debian (0750) FreeBSD
                        (0850),  AltLinux (1050), Gentoo (1150), Canonical
                        (1150), IBM (1700), Oracle (1700), 
                        SUSE (2014-06-03:0820), Amazon AMI
                        (2014-06-03:1330), NetBSD/pkgsrc (2014-06-04:0710),
                        Openwall (2014-06-04:0710)
2014-06-02 Red Hat find issue with patch (1400), updated patch
                        sent to vendors
2014-06-02 Canonical find regression with patch (1700), Stephen
                         produces updated patch, sent to vendors (1820)
2014-06-03 "ops-trust" (1015) and selected OpenSSL Foundation
                         contracts (0820) are told a security  update will be
                         released on 2014-06-05 but with no details
2014-06-05 Security updates and advisory is released

** DTLS recursion flaw (CVE-2014-0221)

2014-05-09 Reporter contacts OpenSSL security
2014-05-09 OpenSSL contacts reporter with possible patch for
                       verification
2014-05-16 Reporter confirmes patch
2014-05-18 OpenSSL tells reporter CVE name
2014-06-02 "OS distros" notification as above
2014-06-03 OpenSSL lets reporter know the release date
2014-06-05 Security updates and advisory is released

** DTLS invalid fragment vulnerability (CVE-2014-0195)

2014-04-23 HP ZDI contact OpenSSL security and pass on security
                        report
2014-05-29 OpenSSL let ZDI know the release date
2014-06-02 "OS distros" notification as above
2014-06-05 Security updates and advisory is released

** Anonymous ECDH denial of service (CVE-2014-3470)

2014-05-28 Felix Grbert and Ivan Fratri at Google report to
                       OpenSSL
2014-05-29 OpenSSL tell reporters CVE name and release date
2014-06-02 "OS distros" notification as above
2014-06-05 Security updates and advisory is released

(All times UTC)
---

On Twitter, Mark (@iamamoose) pointed out that "by telling OS vendors in
advance we actually caught two problems with the patches!", I guess
referring to these two timeline entries:

2014-06-02 Red Hat find issue with patch (1400), updated patch
                        sent to vendors
2014-06-02 Canonical find regression with patch (1700), Stephen
                         produces updated patch, sent to vendors (1820)

Alexander


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault