curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: The life of a curl security bug

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 7 Oct 2017 17:38:06 +0200 (CEST)

On Sat, 7 Oct 2017, Rich Gray wrote:

> I tried to post this as a comment to your article, but it failed with:

Sorry, I get that at times and I haven't quite worked out why yet. (it has
something to do with the interaction with Fastly as the CDN for my site)

> Nice. I do wonder if you should spell out what a CVE is. Sometimes you
> seem to use CVE as shorthand for CVE id, at other times for the CVE report
> itself.

Hm, yes. I'll clarify that a little. Thanks!

> What sort of embargo does Mitre allow?

I honestly don't know. I've only used Mitre directly like once or twice and I
haven't had any problems or discussions with them about embargos.

Mitre doesn't seem to have any proper system to know when the advisory is
finally made public (they often remain as "reserved" for a long time even
after having been made official) so I don't think they even know or care much
for embargo period lengths.

I prefer using the distros_at_openwall way as it also makes the advisory actually
get read by humans and often the patch(es) are tested/verified by people
before we make it official so it helps us ship a better advisory and a better
patch.

> (Every time I hear that name, I'm reminded of Clifford Stoll's delightful
> 1989 book, The Cuckoo's Egg[2], The book is a great read if you can find
> it.)

Agreed. I've read it too!

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2017-10-07