[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

  • To: "Jan Beulich" <JBeulich@xxxxxxxx>
  • From: Alan Cox <alan@xxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 28 Jun 2012 19:30:37 +0100
  • Cc: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx
  • Delivery-date: Thu, 28 Jun 2012 18:26:57 +0000
  • Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWysKsSBQMIAwIZCwj///8wIhxoRDXH9QHCAAABeUlEQVQ4jaXTvW7DIBAAYCQTzz2hdq+rdg494ZmBeE5KYHZjm/d/hJ6NfzBJpp5kRb5PHJwvMPMk2L9As5Y9AmYRBL+HAyJKeOU5aHRhsAAvORQ+UEgAvgddj/lwAXndw2laEDqA4x6KEBhjYRCg9tBFCOuJFxg2OKegbWjbsRTk8PPhKPD7HcRxB7cqhgBRp9Dcqs+B8v4CQvFdqeot3Kov6hBUn0AJitrzY+sgUuiA8i0r7+B3AfqKcN6t8M6HtqQ+AOoELCikgQSbgabKaJW3kn5lBs47JSGDhhLKDUh1UMipwwinMYPTBuIBjEclSaGZUk9hDlTb5sUTYN2SFFQuPe4Gox1X0FZOufjgBiV1Vls7b+GvK3SU4wfmcGo9rPPQzgIabfj4TYQo15k3bTHX9RIw/kniir5YbtJF4jkFG+dsDK1IgE413zAthU/vR2HVMmFUPIHTvF6jWCpFaGw/A3qWgnbxpSm9MSmY5b3pM1gvNc/gQfwBsGwF0VCtxZgAAAAASUVORK5CYII=
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
> I think this should be done via (perhaps silent) consensus on the
> pre-discosure list. Leaving the embargo time line determination
> entirely to the discoverer isn't really suitable. 

Reality check. If the reporter decides to give you a date you are given a
date, if they decide to not negotiate that date then you can either meet
it or leave your customers vulnerable when it is published.

A lot of reporters are hostile to extensions and slowness because there
is a long history of process abuse elsewhere.

> I think having hardware vendors involved is really only necessary
> when hardware related issues need to be dealt with.

Which can be done on a case by case basis.

> As indicated above, this should not be permitted, due to
> fairness considerations. Otherwise we should not place
> restrictions on who might be on the list at least as an observer.

For any GPL code elements you cannot create a contractual basis for
preventing code release. It's a violation of the GPL "additional
restrictions" rule. At best you can trust everyone to be sensible.

> Just the same we allow individual vendors to communicate -
> acknowledge the fact that there is a vulnerability, identifiers, and
> expected embargo deadline.

You also need to end it the moment a third party publishes any info, or
you'll get into stupid situations where only those who signed up to it
can't talk about it (eg the infamous pentium lockup bug)

> > 8. Predisclosure subscription process, and email address criteria

Email is not a trustworthy medium. The linux security list  was in the
past intercepted.

> > We need a clear policy about releasing proof of concept exploits -
> > whether, when and who to.
> 
> This I think could (and perhaps should) be really be left to the
> discoverer, as this may be considered intellectual property.

They ought to be in the regression suite if possible.

On the fixes side also remember some vendors may choose to ship fixes
that differ from the "official" one.

Alan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.