[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
- To: Solar Designer <solar@xxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
- From: VSR Advisories <advisories@xxxxxxxxxxxxx>
- Date: Tue, 27 Mar 2012 12:18:33 -0700
Hi Alexander,
As a researcher, I find the distros list a useful resource to enable quick and
simultaneous notification of many open source OS distributions.
> When it became apparent that this was to be violated since one or two of
> the affected upstreams wanted much more time, the reporter (Timothy D.
> Morgan of VSR Security) explained that at the time of his initial
> notification he had thought that 14 days would in fact be enough. While
> this sounds like a rather fundamental problem with a maximum embargo time
> policy (it is always possible that something new is discovered during
> discussion, which may invalidate the initial time estimate of the
> reporter), I've just added the following verbiage to hopefully reduce the
> number of such occurrences going forward:
>
> "If you have not yet notified upstream projects/developers of the affected
> software, other affected distro vendors, and/or affected Open Source
> projects, you may want to do so before notifying one of these mailing
> lists in order to ensure that these other parties are OK with the maximum
> embargo period that would apply (and if not, then you may have to delay
> your notification to the mailing list), unless you're confident you'd
> choose to ignore their preference anyway and disclose the issue publicly
> soon as per the policy stated here."
I think this is a good idea. I likely misunderstood the process you want
researchers to follow when it comes to using the distros list. While I think
the time to release for this issue was excessive, I should have nailed down a
release date with the upstreams prior to notifying the distros list.
I'll reserve some additional comments for the oss-security list exclusively.
Thanks,
tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/