Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20111229191240.GA11413@openwall.com>
Date: Thu, 29 Dec 2011 23:12:40 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: [oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision

On Wed, Dec 28, 2011 at 07:07:30PM +0100, Andrea Barisani wrote:
> 2011-11-01: contacted affected distributions
...
> 2011-12-28: advisory release

The linux-distros list was made use of.  (I assume oCERT also contacted
non-Linux distributions separately.)

This was the first major exception to linux-distros' list policy to
limit embargoes to 14 days at most (after initial posting to the list).

I did not object this time because the underlying issue was publicly
known and the impact was limited to DoS.  Well, and I was not given an
opportunity to object other than by asking for the CRD to be moved to an
earlier date, which would likely not work for others.  (I am not
complaining.)

Yet I feel that I need to post in here and state that this does not set
a precedent, that the "14 days" policy is in effect, and that occasional
exceptions, if any, need to be agreed upon in advance (unlike it
happened this time).  That is, if someone wants to report an issue via
the linux-distros or distros lists and propose a longer embargo period,
they need to state so first, without disclosing much detail about the
issue to the list.  I think it may be OK (although this might vary on a
case by case basis) to disclose the minimum required for list members to
agree to a longer embargo period as a rare exception (like it would
probably happen for these hash collision issues), object to it (have the
list notified with detailed info closer to the proposed CRD), or/and opt
to request the detail individually (not via the list).

I think this is a rare exception to oCERT's policy, too.  It says:

"- under extremely exceptional circumstances, if the oCERT Team and all
the parties involved feel the need for longer time, a 2 months embargo
can be applied, in this case we would clearly document the decision for
public review"

Andrea - you could want to "clearly document the decision for public
review" now, although I guess your rationale was similar to mine (when I
decided not to object to the unusually long embargo period this time).

Thank you for your work on this issue!  I imagine it was pretty
time-consuming with so many affected projects.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.