
Theo de Raadt on OpenSSL vulnerabilities coming on the 19th - bootload
http://marc.info/?l=openbsd-misc&m=142654095813320&w=2
======
onestone
The situation seems to have changed (core LibreSSL developers have now had
disclosure from OpenSSL):

[http://marc.info/?l=openbsd-
misc&m=142660009729096&w=2](http://marc.info/?l=openbsd-
misc&m=142660009729096&w=2)

------
noir_lord
> The OpenSSL group do not tell the LibreSSL group about vulnerabilities that
> they are fixing in upcoming releases.

> Why? Well, they just don't. That's the whole story.

Then the story sucks, security of core components underlying the internet is
bigger than any one group.

Respect for end users would indicate that a simple heads up of a high severity
bug to someone on the LibreSSL team would be the way to go.

~~~
detaro
Well, according to (also unsourced, so no clue what the "real" story is)
comments on the sister submisson [1] it is because LibreSSL doesn't want to
take part in the embargo on reported vulnerabilities.

[1]
[https://news.ycombinator.com/item?id=9216815](https://news.ycombinator.com/item?id=9216815)

~~~
alecco
That's because they patch within a couple of days and don't want their systems
unpatched for long (30 to 60 days!) when there is a known issue out in the
wild. The flaws tend to get leaked, the temptation is big because there are
huge money incentives.

I bet if the embargo were for 5 days they would reconsider. But good luck with
that with members like Microsoft, Cisco, Oracle, which a terrible reputation
of postponing things the maximum possible.

~~~
danielweber
It's not "in the wild."

OpenBSD is making the gamble that either a) they can pressure the adults doing
coordinated disclosure to stop doing that via their excellent people skills,
or b) that they are so awesome that they can find the problems before everyone
else.

NB: I love OpenBSD from a security POV, but that doesn't mean what the leaders
of the project do is always correct for security.

~~~
detaro
We mostly don't know if it is already "in the wild" or not, if it will be
found independently during the embargo period, if it will leak out of one of
the organizations "in the know", ...

Didn't people find traces of hearthbleed attacks that happened months before
it was published?

There are good arguments for very short embargo periods, especially if you
mostly care about the security of _your_ users. (of course, in a perfect world
every vendor would be willing/able to release patches after 24 h or so, and it
wouldn't matter, but we don't have one of those...)

------
some_furry
If the fix is already committed for any of the vulnerabilities, then the
answer is a simple github search away:

[https://github.com/openssl/openssl/compare/OpenSSL_1_0_1l......](https://github.com/openssl/openssl/compare/OpenSSL_1_0_1l...OpenSSL_1_0_1-stable)

[https://github.com/openssl/openssl/compare/OpenSSL_1_0_2...O...](https://github.com/openssl/openssl/compare/OpenSSL_1_0_2...OpenSSL_1_0_2-stable)

Some interesting commits:

[https://github.com/openssl/openssl/commit/327de270d583e716bc...](https://github.com/openssl/openssl/commit/327de270d583e716bc0282dd0d59e133f41d7ada)

[https://github.com/openssl/openssl/commit/f5ee5213073870493a...](https://github.com/openssl/openssl/commit/f5ee5213073870493a8ade98b13ea41a2b20b8d4)

[https://github.com/openssl/openssl/commit/51527f1e3564f210e9...](https://github.com/openssl/openssl/commit/51527f1e3564f210e984fe5b654c45d34e4f03d7)

~~~
cjg_
It is weird, two of them (CVE-2015-0288 and CVE-2015-0209) are listed here
also with links to patches, [https://security-
tracker.debian.org/tracker/source-package/o...](https://security-
tracker.debian.org/tracker/source-package/openssl) Why have embargo on the
vulnerabilities if you publish patches anyway? Which makes me think that the
patches has not been committed yet and that the embargoed are different ones
than these.

~~~
geeknik
I found an OpenSSL bug that was assigned CVE-2015-0208 and it is still
embargoed near as I can tell.

------
kriro
I can't say I feel comfortable with an announcement of "there's a
vulnarability ranked high but we won't patch it until the 19th". I get why
they do it that way and I prefer this announcement to nothing but it's still
somewhat unsettling.

They obviously know a lot more about security than I do so I'll live with that
decision.

~~~
TomMasz
It's less than ideal but the obvious remediation is to update OpenSSL. Of
course, if there are any other remediations it would be nice to know about
them sooner. I know I'll have customers bugging me before Thursday.

------
tomjen3
Oh great, egos is programming leading to worse security situations for
everybody.

Yeah Theo they made a fork of your code because it was insecure - that doesn't
mean you should hope for them to fail just so you can say "they had a bug
too".

~~~
shiggerino
Who exactly made a fork of Theo's code?

Also, I don't see how you can read any ill intent out of the email alone. It
shouldn't be unreasonable for the OpenSSL devs to share vulnerabilities with
LibreSSL. I don't think he would use it for any malicious purposes. Though I
guess it makes you want to err on the side of caution when he comes up with
such classics as declaring Apache 2.0 proprietary for no other reason that it
has more lines of text than the previous version.

~~~
jdiez17
I'd think tomjen3 meant "Yeah Theo made a fork of (...)" instead of "Yeah Theo
they". Looks like he originally wrote "Yeah they made a fork (...)", then he
rephrased and forgot to delete the "they".

------
rikkus
Not sure what he's saying. That the OpenSSL group are going to send the
LibreSSL group vulnerabilities? That the LibreSSL group are about to disclose
OpenSSL vulnerabilities? Just a bit confused!

Okay, a later story just appeared, I quote:

    
    
      "This or earlier LibreSSL releases may also address issues that are to be revealed
      by The OpenSSL Project Team on the 19th of March, 2015."
    

This story is probably redundant now, then.

~~~
tomaac
He is referring to [https://mta.openssl.org/pipermail/openssl-
announce/2015-Marc...](https://mta.openssl.org/pipermail/openssl-
announce/2015-March/000020.html)

