OpenBSD Journal

OpenSSL Releases Bugfixes, Advance Notice To Some Vendors But Not OpenBSD

Contributed by pitrh on from the Bugfix Ha! Bugfix Ho! dept.

Earlier today the OpenSSL project released multiple upgrade versions with fixes for several recently reported bugs in their code base.

The most noteworthy thing is not that the OpenSSL project fixes bugs, but rather that information about the bugs had been privately communicated to a list of vendors that did not include OpenBSD. A seclist discussion reveals the full timeline, while the OpenBSD community's reaction can be gauged by this thread on misc@.

(Comments are closed)


Comments
  1. By Ypnose (82.120.114.121) on

    I can't wait to have our own LibreSSL in base...

  2. By Anonymous Coward (137.56.81.157) on

    OpenBSD was not notified, because it wasn't on this mailinglist:

    http://oss-security.openwall.org/wiki/mailing-lists/distros

    Comments
    1. By Noryungi (noryungi) on

      > OpenBSD was not notified, because it wasn't on this mailinglist:
      >
      > http://oss-security.openwall.org/wiki/mailing-lists/distros

      FreeBSD and NetBSD were notified -- and they are not on this list, either. So what is going on in here??

      Comments
      1. By Anonymous Coward (38.99.63.178) on

        > > OpenBSD was not notified, because it wasn't on this mailinglist:
        > >
        > > http://oss-security.openwall.org/wiki/mailing-lists/distros
        >
        > FreeBSD and NetBSD were notified -- and they are not on this list, either. So what is going on in here??

        Huh?

        "Currently on the distros list are representatives from:
        "
        "All Linux distribution vendors who are also on the linux-distros list below
        "FreeBSD
        "NetBSD/pkgsrc

    2. By Magic carpet (bodie) on http://www.openbsd.org

      > OpenBSD was not notified, because it wasn't on this mailinglist:
      >
      > http://oss-security.openwall.org/wiki/mailing-lists/distros

      Apple with their MacOS X is not there either and ...... oh wait, they were informed. Game of open source made in Linux foundation, OpenSSL, red caps and others.

    3. By Anonymous Coward (216.16.224.222) on

      > OpenBSD was not notified, because it wasn't on this mailinglist:
      >
      > http://oss-security.openwall.org/wiki/mailing-lists/distros

      Not true: http://undeadly.org/cgi?action=article&sid=20140605202211&pid=11

  3. By Leon Weber (2a00:1328:e101:b02::1) leon@leonweber.de on

    Very funny, after you guys ridiculed the existence of a mailing list for such advance notifications and declined to be subscribed: <http://www.openwall.com/lists/oss-security/2014/05/02/7>

    Comments
    1. By Theo de Raadt (199.185.137.1) on

      > Very funny, after you guys ridiculed the existence of a mailing list for such advance notifications and declined to be subscribed: <http://www.openwall.com/lists/oss-security/2014/05/02/7>

      OK, since you anonymously speak with a voice of authority and knowledge, perhaps you are on that list.

      The result is now out in the open. So let's see if someone has the balls to post the entire thread off that list which show evidence that actual disclosure was handled via that email list.

      Otherwise, if we can't get that into the public light, it is more likely that disclosure was handled the other more traditional way-- where the vendor (OpenSSL) directly handed advance information to each redistributor they selected.

      Come on. Show the email thread. Prove the claim that the the openwall list was the disclosure path.

      I am calling for some sunlight.

      Comments
      1. By Cédric Chappert (2001:41d0:fe14:b000::23) cedric.chappert@wanadoo.fr on

        This is totally a waste of time to talk about this...
        The choice of the OpenBSD Community was made.

        For my part, openSSL project doesn't exist anymore because it showed lot of (voluntary ?!) lacks. Maybe they just think that LibreSSL will be the future reference and want to correct the shot. This shows a political or a strategic problem.
        Too late, openSSL is dead, enjoy LibreSSL.

    2. By Jason Crawford (X-rayS) jason AT purebsd DOT net on

      > Very funny, after you guys ridiculed the existence of a mailing list for such advance notifications and declined to be subscribed: <http://www.openwall.com/lists/oss-security/2014/05/02/7>

      No the OpenSSL guys ignore *their own advice*. Since you bring up oss-security mailing list...

      Here's the info for the distro list
      http://oss-security.openwall.org/wiki/mailing-lists/distros

      And if you bother to read the page (which you must to get the PGP key) then you'll see it says when you disclose on the list, you MUST TELL VENDORS... and here's the list of vendors:

      http://oss-security.openwall.org/wiki/vendors

      Notice who's on that list? OpenBSD. And who wasn't told? OpenBSD. 'Nuff said.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]