Re: new OpenSSL flaws
Alexander, I'd like to thank you for taking the time to answer Theo's questions, the further advice you've given here, for your patience and the work that you do overall. Regards, -- Steven Chamberlain ste...@pyro.eu.org
Re: new OpenSSL flaws
On Fri, Jun 06, 2014 at 10:26:48AM +0400, Solar Designer wrote: > On Thu, Jun 05, 2014 at 04:38:24PM -0600, Theo de Raadt wrote: > > Kurt and Solar -- > > > > You are the primary contacts for the oss-security email list. > > Kurt is not. Sorry for going slightly off-topic, since this is not an OpenBSD thing, but I think it's appropriate to post the below in here. I think I need to clarify Kurt's exact role on oss-security and distros, given how suspicious people are and for the sake of transparency, even though I find this otherwise irrelevant to the issue at hand. BTW, I am not CC'ing this to Kurt because we managed to offend him so much that he doesn't want to receive these e-mails anymore. I'll post the main content of this message to oss-security as well, crediting Theo for the indirect reminder that more transparency is needed. On the linux-distros lists, Kurt is one of the members from Red Hat. He has no special privileges there. Kurt happens to be assigning CVE IDs from Red Hat's pool when people (those reporting vulnerabilities externally and/or other list members) ask for those. Kurt used to be assigning CVE IDs from Red Hat's pool on the public oss-security list as well. He was doing this for a long while, and I think is well recognized for that. Now MITRE takes care of this. Kurt currently has co-moderator privileges on oss-security, for the sole purpose of approving obviously on-topic messages from new addresses (not yet pre-approved), especially when I am not around (but usually I am). This minimizes delivery delays. This does not make Kurt a "primary contact" for the list - it's a rather limited and technical role, and an unpleasant one (since most messages in the moderation queue are spam), that Kurt at some point agreed to help with (but may resign from it anytime). Another current co-moderator on oss-security is Josh Bressers. Both Kurt and Josh are from Red Hat. The set of co-moderators is occasionally changing as people volunteer or resign. I think I should adopt a practice to announce such changes on oss-security itself right away, for the sake of transparency, even though the additional co-moderators (everyone besides me) only approve obvious on-topic messages and don't reject anything, so the responsibility for the list's policies remains mine (and I am the only one to blame). "Conspiracy theorists" may now say that this is a "privilege" that provides (a few hours of?) advance notification, and that messages may be deliberately delayed. I've heard such claims about Bugtraq (they might or might not be right). On oss-security, most messages are from pre-approved senders (so they get posted right away, with no ability for a co-moderator to even see them before they're sent to everyone), and the few that get into the moderation queue are approved quickly (from minutes to hours, but not days - whenever I or a co-moderator gets a chance to check our e-mail and confirm that the message is not spam and is on-topic). Such concerns could apply to Bugtraq (and do apply, as we've seen from some public criticism of Bugtraq) and to FD as well. I think they apply to oss-security to a smaller extent, because a lot of people (who post to oss-security) actually know that delays are usually non-existent or, when they do occur, are much smaller than those on Bugtraq (and likely smaller than those on FD as well, but I'd need to actually analyze the data to make sure). (I do think Bugtraq's delays are often unacceptable, regardless of why they occur.) As far as I'm aware, no oss-security posting was ever abusively delayed. There are some rare occasions where a posting is questionable (neither obviously on-topic nor obviously off-topic) and a moderation decision takes time to make - e.g., sometimes I contact the sender to have them clarify why their posting would be appropriate for oss-security. In those cases, as well as even for obviously off-topic messages, the co-moderators do nothing, and I handle these (almost always same day). IIRC, none of these were vulnerability reports in open source software. I do recall some that were vulnerability reports in closed source software (and this needed to be clarified before they got rejected as off-topic). When such misdirected reports happen, we don't make use of the information in the rejected postings (and the sender typically posts to FD or/and Bugtraq). Alexander
Re: new OpenSSL flaws
On Sun, Jun 08, 2014 at 10:38:50AM +0200, Francois Ambrosini wrote: > I am a mere user who happened to spot an inconsistency and wanted to > inform all parties. I appreciate the constructive nature of your messages. > I will not comment on your guesses and opinions with information I do > not have. I'll just state that I find your interpretation of the quote > from the OpenSSL wiki rather optimistic, It's not interpretation of the quote from their wiki. It's what I think they may and should do next time, given the circumstances, and an observation that the specific wording on the wiki technically does not contradict that. > and give you the additional > hint that a public statement from Mark Cox on Google+ goes against it > (check the "timeline" post). On the contrary, the timeline shows that distros wasn't the only place OpenSSL sent a notification to. It also lists CERT/CC, "ops-trust", and "selected OpenSSL Foundation contracts". So OpenSSL did have an additional list of who to notify at that time. I think they may have such a list next time as well, and they may include LibreSSL on it. > I humbly think it was (and is) not the right time for guesses and I > must confess my surprise at your response. I would have thought that, > with the new responsibility given to the "distro" list, you would want > to check with the OpenSSL people first. I think I am in a better position to politely put light pressure on OpenSSL by stating my opinion publicly - namely, suggesting that they notify LibreSSL next time - regardless of how exclusive or not their planned use of the distros list might have been. I especially don't want to end up receiving any non-public information on their decision-making on who and how to notify, at which point I'd have to choose between two evils: reveal something they might disclose to me as (implied or stated) confidential or not informing you and the general public of that something if it's relevant to this discussion. As you can see, I've CC'ed this and the message you replied to, to Mark Cox, who managed OpenSSL's recent notification to distros list. I don't expect Mark to comment, but I'd like him to be aware. Mark - I hope you understand and agree with my position on this, as well as my reasoning for not coordinating this with OpenSSL in private first. Alexander
Re: new OpenSSL flaws
On Sat, 7 Jun 2014 14:19:33 +0400 Solar Designer wrote: > On Sat, Jun 07, 2014 at 09:13:36AM +0200, Francois Ambrosini wrote: > > On Sat, 7 Jun 2014 07:04:47 +0400 > > Solar Designer wrote: > > > > > Being on the distros list is not mandatory to receive advance > > > notification of security issues. The list is just a tool. People > > > reporting security issues to the distros list are encouraged to > > > also "notify upstream projects/developers of the affected > > > software, other affected distro vendors, and/or affected Open > > > Source projects". > > > > You and others may want to know that ??? since yesterday ??? the > > OpenSSL wiki says otherwise. Quoting: > > > > "If you would like advanced notice of vulnerabilities before they > > are released to the general public, then please join > > [http://oss-security.openwall.org/wiki/mailing-lists/distros > > Operating system distribution security contact lists] at OpenWall's > > OSS Security" > > > > http://wiki.openssl.org/index.php?title=Security_Advisories&diff=1700&oldid=1697 > > Thanks for letting me know. I wasn't aware of this. I don't know > whether this wiki edit is authoritative for the OpenSSL project, but > if it is it means that there's greater assurance those on distros > list will continue to receive advance notification, and indeed it's > simpler for the OpenSSL project to be able to notify more distro > vendors at once. > > I don't see it as contradictory to what I wrote (quoted above): it > doesn't say that those who haven't joined will definitely not be > notified. I guess OpenSSL will maintain an additional list of who to > notify, besides the distros list. As I said before, I can't speak > for the OpenSSL project, though - so these are just guesses. > > My personal opinion is that if OpenBSD doesn't join the distros list, > yet wants LibreSSL to be notified of OpenSSL security issues, OpenSSL > should be notifying LibreSSL directly. I think it'd be helpful if > LibreSSL nominates specific contact persons for that, along with PGP > keys to use, and informs the OpenSSL project of that. (Use of PGP was > mandatory in the recent advance notification offered to distros list.) > Once that has been done, you'd have (more) reason to complain if > you're not notified next time (but I hope you will be). > > Alexander > I am a mere user who happened to spot an inconsistency and wanted to inform all parties. I will not comment on your guesses and opinions with information I do not have. I'll just state that I find your interpretation of the quote from the OpenSSL wiki rather optimistic, and give you the additional hint that a public statement from Mark Cox on Google+ goes against it (check the "timeline" post). I humbly think it was (and is) not the right time for guesses and I must confess my surprise at your response. I would have thought that, with the new responsibility given to the "distro" list, you would want to check with the OpenSSL people first.
Re: new OpenSSL flaws
On Sat, Jun 07, 2014 at 09:13:36AM +0200, Francois Ambrosini wrote: > On Sat, 7 Jun 2014 07:04:47 +0400 > Solar Designer wrote: > > > Being on the distros list is not mandatory to receive advance > > notification of security issues. The list is just a tool. People > > reporting security issues to the distros list are encouraged to also > > "notify upstream projects/developers of the affected software, other > > affected distro vendors, and/or affected Open Source projects". > > You and others may want to know that ??? since yesterday ??? the OpenSSL > wiki says otherwise. Quoting: > > "If you would like advanced notice of vulnerabilities before they are > released to the general public, then please join > [http://oss-security.openwall.org/wiki/mailing-lists/distros Operating > system distribution security contact lists] at OpenWall's OSS Security" > > http://wiki.openssl.org/index.php?title=Security_Advisories&diff=1700&oldid=1697 Thanks for letting me know. I wasn't aware of this. I don't know whether this wiki edit is authoritative for the OpenSSL project, but if it is it means that there's greater assurance those on distros list will continue to receive advance notification, and indeed it's simpler for the OpenSSL project to be able to notify more distro vendors at once. I don't see it as contradictory to what I wrote (quoted above): it doesn't say that those who haven't joined will definitely not be notified. I guess OpenSSL will maintain an additional list of who to notify, besides the distros list. As I said before, I can't speak for the OpenSSL project, though - so these are just guesses. My personal opinion is that if OpenBSD doesn't join the distros list, yet wants LibreSSL to be notified of OpenSSL security issues, OpenSSL should be notifying LibreSSL directly. I think it'd be helpful if LibreSSL nominates specific contact persons for that, along with PGP keys to use, and informs the OpenSSL project of that. (Use of PGP was mandatory in the recent advance notification offered to distros list.) Once that has been done, you'd have (more) reason to complain if you're not notified next time (but I hope you will be). Alexander
Re: new OpenSSL flaws
On Sat, 7 Jun 2014 07:04:47 +0400 Solar Designer wrote: > To clarify and for the record: > > Being on the distros list is not mandatory to receive advance > notification of security issues. The list is just a tool. People > reporting security issues to the distros list are encouraged to also > "notify upstream projects/developers of the affected software, other > affected distro vendors, and/or affected Open Source projects". You and others may want to know that – since yesterday – the OpenSSL wiki says otherwise. Quoting: "If you would like advanced notice of vulnerabilities before they are released to the general public, then please join [http://oss-security.openwall.org/wiki/mailing-lists/distros Operating system distribution security contact lists] at OpenWall's OSS Security" http://wiki.openssl.org/index.php?title=Security_Advisories&diff=1700&oldid=1697
Re: new OpenSSL flaws
Em 07-06-2014 00:04, Solar Designer escreveu: > tools and ethics are separate things It seems like you got to the real issue now. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: new OpenSSL flaws
To clarify and for the record: Being on the distros list is not mandatory to receive advance notification of security issues. The list is just a tool. People reporting security issues to the distros list are encouraged to also "notify upstream projects/developers of the affected software, other affected distro vendors, and/or affected Open Source projects". OpenBSD having declined to use the tool shouldn't be interpreted e.g. by OpenSSL as a reason not to notify LibreSSL directly. I don't know if such reasons exist or not, but OpenBSD not being on distros is not it. I do think OpenBSD would benefit from using the tool, increasing the percentage of issues you do receive advance notification for, if you'd like that. However, tools and ethics are separate things. Alexander
Re: new OpenSSL flaws
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I do not believe that they, are specifically ignoring OpenBSD, I believe they are ignoring the BSDS in general. Perhaps someone notified FreeBSD but nobody notified the DragonflBSD team either. On 06/05/2014 09:27 PM, Theo de Raadt wrote: > There are two main open-source processes for dealing with discovery of > security issues and disclosure of that information to the greater > community. > > - One common process is that generally followed by OpenBSD. In this > proocess a bug is found, and a fix is commited as soon as the > improvement is known to good. Then if an asssement has been done, and > it is determined to be important, disclosure occurs, of course after > the commit is already public. Everyone including the vendors had the > opportunity to get the information in a fair and equal way. > > - The other main process used by some open source groups, is to > quarantine important repairs. A fix is firsst disclosed all affected > parties, or at least the right concerned subset. This creates a delay > before information availability, but the coordination is intended to > provide a benefit. Everyone generally gets the information in a fair > and equal way. > > Both processses have their place. Each software group has their own > limitations and needs which will drive their selection. > > > Is clear that the second process -- intending to also take an ethical > path for disclosure -- should not specifically exclude a part of the > community. > > > Unfortunately I find myself believing reports that the OpenSSL people > intentionally asked others for quarantine, and went out of their way > to ensure this information would not come to OpenBSD and LibreSSL. > > There, I've said it. > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTkWpWAAoJEMrvovfl62c8xQMH/R/bLRaZMW3qwRqdLp/ZdXk4 mR48+AzYga+Pz45UZApdVPPOhvsOy0lLXlNJFWGGcAfrucZKN94P8enKuhWztgel EINhbFSlxnW3HbvCeOJt1O9xhciW2RJRE9ii669Wfsx+FmceU9sSBWNcQljDFOTJ d4sHPa+EQ88Xs7DCOwDAB8iMlhk9lJcnbGPkscAoBQlv8vjjiU1GGbJYcgCvQ6Gr sp6ts3mNscEx9NtXOGo/D7gWgIrAZTwW8Ni6NtuE4LnKoBAUY4oA4wXb/1gF/8/G hljNyLMVBJKYBySzt1Q+g+ifBsJg3xGCi00tjASIusjXcQFO55zcRfQ65ZHFAPg= =u19g -END PGP SIGNATURE-
Re: new OpenSSL flaws
Theo, On Thu, Jun 05, 2014 at 04:38:24PM -0600, Theo de Raadt wrote: > Kurt and Solar -- > > You are the primary contacts for the oss-security email list. Kurt is not. I guess the reason why you got such impression was because Kurt invited you to join distros recently, not knowing that you had chosen not to join (not just you personally, but OpenBSD) in the private discussion we had in early 2012. I don't know it for sure, but I guess the reasons why Kurt and not someone else chose to (re-)invite OpenBSD included Kurt's past positive interactions with OpenBSD (e.g., I recall how he was welcome to work in the OpenBSD tent at HAL2001) and that he's an active participant on the distros list. He was just trying to help. I am hosting the oss-security (public), and distros and linux-distros lists (private). So I am administrative contact for these lists. Additionally, this means that if the community starts asking for things I have strong feelings against, or I feel the private lists are causing more harm than they provide benefit (a tough balance, and there's no clear way to measure it), I may stop hosting the lists (this is why they stay "experimental" - perhaps permanently so, although we might adjust/remove the wording if it confuses people). Now to your specific questions: > Are you are aware of any operating system, product suppliers, or > service providers who were notified early by OpenSSL... but are not > found on the private mailing list? I am only aware of what's in the timeline you already saw (the one I posted to oss-security, taken from Mark Cox's Google+ post). Per that timeline, yes, there were notifications beyond distros list members: 2014-06-02 CERT/CC notify their distribution list about the security update but with no details 2014-06-03 "ops-trust" (1015) and selected OpenSSL Foundation contracts (0820) are told a security update will be released on 2014-06-05 but with no details We (Openwall) did receive a notification from CERT/CC (with no detail, as the timeline correctly says). As to whether/why OpenBSD wasn't notified by CERT/CC, I don't know. > I think it would be poor style to ask for specific names, but a > vague statement confirming or denying things would be nice. I don't even know any specific names of additional vendors CERT/CC might have notified, and I don't know who's "ops-trust" and "selected OpenSSL Foundation contracts". So the above is as specific as I have. > There are claims that attendance on your private email list is > required & sufficient for early disclosure from OpenSSL. Per the above, it appears not to be the only way. As to it being sufficient, I don't know what OpenSSL team's intent is - it is up to them who and what lists to disclose to. To me, it does appear likely that they will continue notifying the distros list, but this is not any sort of authoritative answer since I'm not with OpenSSL. > Thanks in advance for any clarity you can supply to this question. I hope the answers above help. Alexander
Re: new OpenSSL flaws
Miod Vallat [m...@online.fr] wrote: > > Now you have and example of how they are unwilling to work with you next > > time someone asks why not work with OpenSSL on fixing it. Pretty direct > > proof. > > The culture gap between OpenSSL and OpenBSD/LibreSSL is UNFIXABLE. > > We believe in peer review; they don't give a sh*t about it (as shown > less than a month ago by the way their #3317 bug was fixed, commiting a > different fix from the proposed one and introducing a stupid *and > obvious* bug in the process - which got fixed the next day after otto@ > mentioned it to the OpenSSL developers). > > If you can't trust people to apply one-liner fixes correctly, can you > trust them for anything serious? I think this Networkworld article says it all... (and since when did interesting, critical analysis come from Networkworld!?) http://www.networkworld.com/article/2360229/microsoft-subnet/critical-flaw-in-encryption-has-been-in-openssl-code-for-over-15-years.html If you don't think that Robin Seggelmann is a paid stooge actively trying to sabotage OpenSSL (an idea rooted in paranoia?) then you may at least think he is careless, unable to use critical thought, and certainly doesn't need commit access to any source code repository. Am I late to the party? Or is it time to re-audit every single character of his code? In the mean time, let Dr. Stephen N. Strangelove continue his mad plan to support VMS and Windows 3.1. Let him play games with LibreSSL "competitors" by denying advance notice. Perhaps next time Otto won't bother to inform them about their new stupid, obvious flaws in return? It's low class for Dr. Strangelove and his team to behave like this, after the many repetitive attempts from @openbsd.org to bring OpenSSL into the new century. OpenSSH became the de-facto standard because it was the only serious free alternative for a long time. OpenSSL has always been free. So the culture difference is precisely what will drive people for, or away from OpenSSL. (People from the culture of supporting ancient software and broken standards are going to choose OpenSSL every time!)
Re: new OpenSSL flaws
> I suggest you talk to Mark Cox who actually handled this stuff. I'm not > sure why you are asking two people (myself and Solar) who are NOT part of > the OpenSSL team about whom the OpenSSL team notified. Kurt, if Mark Cox is the person who handled this stuff, fine. Who cares? I am hearing claims all over the place regarding a list RUN BY YOU. FACT: Kurt Seifried and Solar Designer are the two primary operators of the openwall security list, the declared access point for security issues affecting Linux operating systems. There are claims being lodged that disclosure of these OpenSSL problems happened on that list. There are claims that we did not get this disclosure because OpenBSD is not on that list. Particularily me, Bob, and Todd Miller. Kurd, is that true? Is that how you see it? Were disclosures handled there, or via another platform or method? ANSWER THE QUESTION. If you won't answer this question, noone should ever trust you again for anything. > I'm done playing games with you Theo. You were invited to join distros > publicly and flamed me. I privately emailed Bob Beck inviting him to join, > and he flamed me (but then apologized), You both said no. I can't do > anything more. I wish you the best of luck in your future endeavors. I am not playing any games. Let's look at the facts. Kurd Seifried is an official Red Hat security officer (of sorts, but probably not tomorrow) Kurt, is Mark Cox your supervisor? A claim is being made that disclosure to OpenBSD needs to be on a Russian email list run by you (Kurt Seifried) and Solar Designer (not going to include his real name) for access to early disclosure of important security information. SO ANSWER THE FUCKING QUESTION, KURT. Or else, if you are a wimp, have your Mark Cox answer the fucking question. Red Hat and OpenSSL -- answer the fucking question. Why was the OpenBSD user community excluded from this information? Why are there public accusation -- from Red Hat officers -- that OpenBSD developers only get advance access to information if they join a Russian located email list? ps. Who is Mark Cox? I've never heard of him.
Re: new OpenSSL flaws
I may also remind people that those lists are acknowledged right at the top as experimental. They also do not allow for non personal subscriptions, so they aren't very practical for this. What if I was away for a day or three.. Or more.. Essentially this is a nice experiment, but not really a practical means of early disclosure. Nor were we informed it was anything beyond experimental. On 5 Jun 2014 17:39, "Stuart Henderson" wrote: > On 2014/06/05 20:43, Martin, Matthew wrote: > > > That's exactly my though. Specially, because FreeBSD and NetBSD were > > > warned, but not OpenBSD. If this was only a rant or any childish > > > behavior from them, it's something stupid and, of course, not the right > > > thing to do. But hey, we're all human. My real concern is if this > > > something else, a hidden agenda, in that this "stupid disclosure" was > > > indeed, carefully planed. One can never have too many conspiracy > > > theories. Specially after what has been happening the last year. Thanks > > > for the clarification. > > > > Mark Cox claims that the reason OpenBSD was not told is because OpenBSD > > is not on the distros mailing list and if we were then "they'd be able > > to work with other distros on issues in advance." > > The distros and linux-distros lists are a good way to contact *some* > OS distributions and Amazon. > > http://oss-security.openwall.org/wiki/mailing-lists/distros > > But there are clearly a number of others for whom an OpenSSL bug > would have big impact who are not on that list (OS such as OpenBSD > and Apple, large scale hosting providers, etc). Many of these are > listed on the security contacts page on the wiki, and actually, the > page with information about sending to the distros list (which > submitters cannot ignore as it has the required pgp key) says: > > "Please notify upstream projects/developers of the > affected software, other affected distro vendors http://oss-security.openwall.org/wiki/vendors>, and/or > affected Open Source projects before notifying one of these > mailing lists in order to ensure that these other parties > are OK with the maximum embargo period that would apply." > >
Re: new OpenSSL flaws
On 2014/06/05 20:43, Martin, Matthew wrote: > > That's exactly my though. Specially, because FreeBSD and NetBSD were > > warned, but not OpenBSD. If this was only a rant or any childish > > behavior from them, it's something stupid and, of course, not the right > > thing to do. But hey, we're all human. My real concern is if this > > something else, a hidden agenda, in that this "stupid disclosure" was > > indeed, carefully planed. One can never have too many conspiracy > > theories. Specially after what has been happening the last year. Thanks > > for the clarification. > > Mark Cox claims that the reason OpenBSD was not told is because OpenBSD > is not on the distros mailing list and if we were then "they'd be able > to work with other distros on issues in advance." The distros and linux-distros lists are a good way to contact *some* OS distributions and Amazon. http://oss-security.openwall.org/wiki/mailing-lists/distros But there are clearly a number of others for whom an OpenSSL bug would have big impact who are not on that list (OS such as OpenBSD and Apple, large scale hosting providers, etc). Many of these are listed on the security contacts page on the wiki, and actually, the page with information about sending to the distros list (which submitters cannot ignore as it has the required pgp key) says: "Please notify upstream projects/developers of the affected software, other affected distro vendors http://oss-security.openwall.org/wiki/vendors>, and/or affected Open Source projects before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply."
Re: new OpenSSL flaws
Em 05-06-2014 19:43, Bob Beck escreveu: > For the record, we didn't get advance notice of Heartbleed either, so > this is nothing new. Bob, I didn't knew that. I feel like I've released a monster (Cthulhu anyone?). I was just curious when I asked Theo if this did happened before. It's possible that someone else would also ask him that. Anyway, this kind of thing hurts the entire FLOSS movement. The whole point of writing a open source project is collaboration. It seems that OpenSSL took a step backward on this. Now, I wonder, if there won't be LibreSSL code appearing on OpenSSL. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: new OpenSSL flaws
We are not on a linux distros mailing list, because we are not a linux distribution. And this private mailing list is not really an acknowledged conduit for vulnerability release. I was asked by someone privately if *I* would be on that mailing list on June 2nd. I said I would consider it, but as I felt the list was not being used for advanced disclosure in a practical means, I didn't see the reason for it. - but I would be open to it if it was being used for advanced disclosure.. my words on june 2 ended with: >In a nutshell, I suppose I'm asking you - does this help if the list only gets >notification at the same time, basically, as public release? > >Or are there some "rules" for participants? The reply I got said they couldn't give any details because there were not any - so obviously as of June 2, someone who was on and maintained that list did not feel that there was any need to be on the list for advance disclosure of bugs. For the record, we didn't get advance notice of Heartbleed either, so this is nothing new. On Thu, Jun 5, 2014 at 2:43 PM, Martin, Matthew wrote: >> That's exactly my though. Specially, because FreeBSD and NetBSD were >> warned, but not OpenBSD. If this was only a rant or any childish >> behavior from them, it's something stupid and, of course, not the right >> thing to do. But hey, we're all human. My real concern is if this >> something else, a hidden agenda, in that this "stupid disclosure" was >> indeed, carefully planed. One can never have too many conspiracy >> theories. Specially after what has been happening the last year. Thanks >> for the clarification. > > Mark Cox claims that the reason OpenBSD was not told is because OpenBSD > is not on the distros mailing list and if we were then "they'd be able > to work with other distros on issues in advance." > > It's at http://oss-security.openwall.org/wiki/mailing-lists/distros . > > Not saying I believe or disbelieve him, but it can't hurt to join even > if it is only until 5.6 comes out. > > - Matthew Martin >
Re: new OpenSSL flaws
> Not saying I believe or disbelieve him, but it can't hurt to join even > if it is only until 5.6 comes out. Another way to phrase this is The OpenBSD user community should accept they have suffered because Theo declined an invitation to a private email list, entirely unrelated to the vendor who was in control of deciding where the notification would go. Right. That's a good one. I will not join that list. It would not have helped. I do not do work in SSL; there's 10 other people on our group who do that. Shall I send a request that all 10 of our SSL sub-group join that list, because there's a lot of SSL-related shit coming down the pipe soon? Heck, why don't they just let anyone join...
Re: new OpenSSL flaws
> > That's exactly my though. Specially, because FreeBSD and NetBSD were > > warned, but not OpenBSD. If this was only a rant or any childish > > behavior from them, it's something stupid and, of course, not the right > > thing to do. But hey, we're all human. My real concern is if this > > something else, a hidden agenda, in that this "stupid disclosure" was > > indeed, carefully planed. One can never have too many conspiracy > > theories. Specially after what has been happening the last year. Thanks > > for the clarification. > > Mark Cox claims that the reason OpenBSD was not told is because OpenBSD > is not on the distros mailing list and if we were then "they'd be able > to work with other distros on issues in advance." > > It's at http://oss-security.openwall.org/wiki/mailing-lists/distros . > > Not saying I believe or disbelieve him, but it can't hurt to join even > if it is only until 5.6 comes out. That is an interesting claim. It sounds like we should test it, rather than take it as fact. Let's ask the right people. Kurt and Solar -- You are the primary contacts for the oss-security email list. Are you are aware of any operating system, product suppliers, or service providers who were notified early by OpenSSL... but are not found on the private mailing list? I think it would be poor style to ask for specific names, but a vague statement confirming or denying things would be nice. There are claims that attendance on your private email list is required & sufficient for early disclosure from OpenSSL. Thanks in advance for any clarity you can supply to this question.
Re: new OpenSSL flaws
> That's exactly my though. Specially, because FreeBSD and NetBSD were > warned, but not OpenBSD. If this was only a rant or any childish > behavior from them, it's something stupid and, of course, not the right > thing to do. But hey, we're all human. My real concern is if this > something else, a hidden agenda, in that this "stupid disclosure" was > indeed, carefully planed. One can never have too many conspiracy > theories. Specially after what has been happening the last year. Thanks > for the clarification. Mark Cox claims that the reason OpenBSD was not told is because OpenBSD is not on the distros mailing list and if we were then "they'd be able to work with other distros on issues in advance." It's at http://oss-security.openwall.org/wiki/mailing-lists/distros . Not saying I believe or disbelieve him, but it can't hurt to join even if it is only until 5.6 comes out. - Matthew Martin
Re: new OpenSSL flaws
> >Is clear that the second process -- intending to also take an ethical > >path for disclosure -- should not specifically exclude a part of the > >community. > > They specifically exclude parts of the community that specifically > say they don't want to be INCLUDED. > > See: http://seclists.org/oss-sec/2014/q2/233 Dear Anonymous, That discussion is unrelated. I made a personal statement that I did not wish to participate in another private mailing list, stating my reasons as clearly as I could. My personal participation in such a mailing list is very distinct from OpenSSL's social responsibility to inform - the 10+ developers working on LibreSSL (I am only a minor part of that sub-group). - the security-concerned sub-group of OpenBSD (I play a big part in that, but not in regards to the SSL subset, so at most I would have handed this to the LibreSSL subgroup) Dr. Henson of OpenSSL knew who to contact. The other members of the private mailing list were witness to the disclosure gap. The choice was made there. I cannot be held responsible for this lack of notification.
Re: new OpenSSL flaws
On Thu, Jun 05, 2014 at 08:02:58PM +, Miod Vallat wrote: > > If you can't trust people to apply one-liner fixes correctly, can you > trust them for anything serious? I really don't like to point fingers, but... It is done by the same people that introduced the Debian random number bug back in 2006: http://www.gergely.risko.hu/debian-dsa1571.en.html
Re: new OpenSSL flaws
> Now you have and example of how they are unwilling to work with you next > time someone asks why not work with OpenSSL on fixing it. Pretty direct > proof. The culture gap between OpenSSL and OpenBSD/LibreSSL is UNFIXABLE. We believe in peer review; they don't give a sh*t about it (as shown less than a month ago by the way their #3317 bug was fixed, commiting a different fix from the proposed one and introducing a stupid *and obvious* bug in the process - which got fixed the next day after otto@ mentioned it to the OpenSSL developers). If you can't trust people to apply one-liner fixes correctly, can you trust them for anything serious? Miod
Re: new OpenSSL flaws
Em 05-06-2014 16:27, Theo de Raadt escreveu: > There are two main open-source processes for dealing with discovery of > security issues and disclosure of that information to the greater > community. > > - One common process is that generally followed by OpenBSD. In this > proocess a bug is found, and a fix is commited as soon as the > improvement is known to good. Then if an asssement has been done, and > it is determined to be important, disclosure occurs, of course after > the commit is already public. Everyone including the vendors had the > opportunity to get the information in a fair and equal way. > > - The other main process used by some open source groups, is to > quarantine important repairs. A fix is firsst disclosed all affected > parties, or at least the right concerned subset. This creates a delay > before information availability, but the coordination is intended to > provide a benefit. Everyone generally gets the information in a fair > and equal way. > > Both processses have their place. Each software group has their own > limitations and needs which will drive their selection. > > > Is clear that the second process -- intending to also take an ethical > path for disclosure -- should not specifically exclude a part of the > community. > > > Unfortunately I find myself believing reports that the OpenSSL people > intentionally asked others for quarantine, and went out of their way > to ensure this information would not come to OpenBSD and LibreSSL. > > There, I've said it. That's exactly my though. Specially, because FreeBSD and NetBSD were warned, but not OpenBSD. If this was only a rant or any childish behavior from them, it's something stupid and, of course, not the right thing to do. But hey, we're all human. My real concern is if this something else, a hidden agenda, in that this "stupid disclosure" was indeed, carefully planed. One can never have too many conspiracy theories. Specially after what has been happening the last year. Thanks for the clarification. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: new OpenSSL flaws
There are two main open-source processes for dealing with discovery of security issues and disclosure of that information to the greater community. - One common process is that generally followed by OpenBSD. In this proocess a bug is found, and a fix is commited as soon as the improvement is known to good. Then if an asssement has been done, and it is determined to be important, disclosure occurs, of course after the commit is already public. Everyone including the vendors had the opportunity to get the information in a fair and equal way. - The other main process used by some open source groups, is to quarantine important repairs. A fix is firsst disclosed all affected parties, or at least the right concerned subset. This creates a delay before information availability, but the coordination is intended to provide a benefit. Everyone generally gets the information in a fair and equal way. Both processses have their place. Each software group has their own limitations and needs which will drive their selection. Is clear that the second process -- intending to also take an ethical path for disclosure -- should not specifically exclude a part of the community. Unfortunately I find myself believing reports that the OpenSSL people intentionally asked others for quarantine, and went out of their way to ensure this information would not come to OpenBSD and LibreSSL. There, I've said it.
Re: new OpenSSL flaws
Em 05-06-2014 15:57, Theo de Raadt escreveu: >> Em 05-06-2014 15:42, dera...@cvs.openbsd.org escreveu: >>> We are sorry that the errata for these libssl security issues are not >>> up yet. >>> >>> The majority of these issues are in our ssl library as well. >>> >>> Most other operating system vendors have patches available, but that >>> is because they were (obviously) given a heads up to prepare them over >>> the last few days. >>> >>> OpenBSD / LibreSSL did not receive any heads-up from OpenSSL. >>> >>> >>> >>> So hold on, we'll try to have errata out in a few hours. >>> >> Theo, >> >> I'm just curious, but, this happened in the past? > Sure, it has happened in the past. But probably not to this > degree. > > Some sort of timeline has been published. Read between the lines. > > http://seclists.org/oss-sec/2014/q2/466 Hmmm, the first thing I did on that page was ctrl + f OpenBSD: not found. It's very interesting that this happened, to this degree as you mentioned, just after you guys forked OpenSSL. I've disable most of the daemons that use ssl in my systems, until this errata comes along. Don't hush it, specially since you guys didn't got notified of this. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: new OpenSSL flaws
> Em 05-06-2014 15:42, dera...@cvs.openbsd.org escreveu: > > We are sorry that the errata for these libssl security issues are not > > up yet. > > > > The majority of these issues are in our ssl library as well. > > > > Most other operating system vendors have patches available, but that > > is because they were (obviously) given a heads up to prepare them over > > the last few days. > > > > OpenBSD / LibreSSL did not receive any heads-up from OpenSSL. > > > > > > > > So hold on, we'll try to have errata out in a few hours. > > > Theo, > > I'm just curious, but, this happened in the past? Sure, it has happened in the past. But probably not to this degree. Some sort of timeline has been published. Read between the lines. http://seclists.org/oss-sec/2014/q2/466
Re: new OpenSSL flaws
Em 05-06-2014 15:42, dera...@cvs.openbsd.org escreveu: > We are sorry that the errata for these libssl security issues are not > up yet. > > The majority of these issues are in our ssl library as well. > > Most other operating system vendors have patches available, but that > is because they were (obviously) given a heads up to prepare them over > the last few days. > > OpenBSD / LibreSSL did not receive any heads-up from OpenSSL. > > > > So hold on, we'll try to have errata out in a few hours. > Theo, I'm just curious, but, this happened in the past? Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
new OpenSSL flaws
We are sorry that the errata for these libssl security issues are not up yet. The majority of these issues are in our ssl library as well. Most other operating system vendors have patches available, but that is because they were (obviously) given a heads up to prepare them over the last few days. OpenBSD / LibreSSL did not receive any heads-up from OpenSSL. So hold on, we'll try to have errata out in a few hours.