Contributed by pitrh on from the Bugfix Ha! Bugfix Ho! dept.
Earlier today the OpenSSL project released multiple upgrade versions with fixes for several recently reported bugs in their code base.
The most noteworthy thing is not that the OpenSSL project fixes bugs, but rather that information about the bugs had been privately communicated to a list of vendors that did not include OpenBSD. A seclist discussion reveals the full timeline, while the OpenBSD community's reaction can be gauged by this thread on misc@.
(Comments are closed)
By Ypnose (82.120.114.121) on
By deoxyt2 (200.6.112.60) deoxyt2@lacamaradegas.cl on http://deoxyt2.livejournal.com
By Anonymous Coward (137.56.81.157) on
http://oss-security.openwall.org/wiki/mailing-lists/distros
Comments
By Noryungi (noryungi) on
>
> http://oss-security.openwall.org/wiki/mailing-lists/distros
FreeBSD and NetBSD were notified -- and they are not on this list, either. So what is going on in here??
Comments
By Anonymous Coward (38.99.63.178) on
> >
> > http://oss-security.openwall.org/wiki/mailing-lists/distros
>
> FreeBSD and NetBSD were notified -- and they are not on this list, either. So what is going on in here??
Huh?
"Currently on the distros list are representatives from:
"
"All Linux distribution vendors who are also on the linux-distros list below
"FreeBSD
"NetBSD/pkgsrc
By Magic carpet (bodie) on http://www.openbsd.org
>
> http://oss-security.openwall.org/wiki/mailing-lists/distros
Apple with their MacOS X is not there either and ...... oh wait, they were informed. Game of open source made in Linux foundation, OpenSSL, red caps and others.
By Anonymous Coward (216.16.224.222) on
>
> http://oss-security.openwall.org/wiki/mailing-lists/distros
Not true: http://undeadly.org/cgi?action=article&sid=20140605202211&pid=11
By Leon Weber (2a00:1328:e101:b02::1) leon@leonweber.de on
Comments
By Theo de Raadt (199.185.137.1) on
OK, since you anonymously speak with a voice of authority and knowledge, perhaps you are on that list.
The result is now out in the open. So let's see if someone has the balls to post the entire thread off that list which show evidence that actual disclosure was handled via that email list.
Otherwise, if we can't get that into the public light, it is more likely that disclosure was handled the other more traditional way-- where the vendor (OpenSSL) directly handed advance information to each redistributor they selected.
Come on. Show the email thread. Prove the claim that the the openwall list was the disclosure path.
I am calling for some sunlight.
Comments
By Cédric Chappert (2001:41d0:fe14:b000::23) cedric.chappert@wanadoo.fr on
The choice of the OpenBSD Community was made.
For my part, openSSL project doesn't exist anymore because it showed lot of (voluntary ?!) lacks. Maybe they just think that LibreSSL will be the future reference and want to correct the shot. This shows a political or a strategic problem.
Too late, openSSL is dead, enjoy LibreSSL.
By Jason Crawford (X-rayS) jason AT purebsd DOT net on
No the OpenSSL guys ignore *their own advice*. Since you bring up oss-security mailing list...
Here's the info for the distro list
http://oss-security.openwall.org/wiki/mailing-lists/distros
And if you bother to read the page (which you must to get the PGP key) then you'll see it says when you disclose on the list, you MUST TELL VENDORS... and here's the list of vendors:
http://oss-security.openwall.org/wiki/vendors
Notice who's on that list? OpenBSD. And who wasn't told? OpenBSD. 'Nuff said.
By sthen (2001:8b0:648e:cc01:f2de:f1ff:fef9:a752) on
5.5 http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/008_openssl.patch.sig
5.4 http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/012_openssl.patch