|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [SECURITY] XSA-133 Retrospective.
A member of the security predisclosure list has asked that the security team publish a time line relating to the short predisclosure period in this case. The final disclosure is at http://xenbits.xen.org/xsa/advisory-133.html While the Xen Security policy[0] sets out various defaults it ultimately hands control of the predisclosure and disclosure timings to the discoverer. In this case this had been determined prior to disclosure to the Xen security team. In addition in this case the vulnerability was in a 3rd party component (QEMU) with their own security team ("upstream security team") to whom the discoverer had already/simultaneously disclosed the issue. For reference the QEMU security process is at [1]. As such the Xen security team deferred to the upstream security team in the creation of the fix. [0] http://www.xenproject.org/security-policy.html [1] http://wiki.qemu.org/SecurityProcess Timeline: Thu, 30 Apr 2015 21:21:31 +0000 Disclosure of issue to security@xxxxxxx by crowdstrike.com ("the discoverer"). Was disclosed to others (upstream security team, Oracle, Operating System Distribution Security (oss-security) list) at the same time and due to the policies of oss-security the embargo deadline was already fixed by the discoverer as May 13th, 2015. Fri, 1 May 2015 16:25:57 +0100 security@ brought into the loop with the upstream security team, preempting the Xen security contacting them under policy 3.d. An initial patch to workaround the issue (by disabling the fdc entirely) was proposed however this was deemed to be unsuitable by the upstream security team. Tue, 5 May 2015 14:18:39 +0200 An initial version of a patch to fix (rather than workaround) the issue proposed by the upstream security team. Wed, 6 May 2015 14:10:52 +0100 Xen team inquired regarding status of patches: patch from Tue, 5 May 2015 14:18:39 +0200 is still the latest. Upon informal request by a Xen security team member, upstream security team member could not confirm whether the patch was final. Thu, 7 May 2015 11:06:29 +0100 security@xxxxxxx contacts the discoverer to request permission to predisclose to our xen-security-issues predisclosure list. Thu, 7 May 2015 11:56:41 +0100 First draft of advisory circulated to security@ Thu, 7 May 2015 15:19:20 +0100 Upstream security team member sends an update of the patch to security@xxxxxxxxxxxxxxx Thu, 7 May 2015 15:13:08 +0000 The discoverer confirms that they are happy for us to predisclose on Monday (2015-05-11), subject to an embargo until 13th. Mon, 11 May 2015 11:28:31 +0000 Second draft of advisory containing updated patches from Thu, 7 May 2015 15:19:20 +0100 circulated to security@ and the discoverer. Mon, 11 May 2015 17:13:37 +0000 The discoverer sends email saying they are reviewing and promises feedback. Mon, 11 May 2015 17:14:09 +0000 Xen Security Team member signs v1 advisory and initiates release process. Mon, 11 May 2015 17:14:26 +0000 Mail from the discoverer received on workstation of Security Team member. Mon, 11 May 2015 17:14:32 +0000 Predisclosure goes to the xen-security-issues list. Mon, 11 May 2015 18:14:32 +0000 The discoverer sends confirmation and minor feedback on earlier draft advisory. Wed, 13 May 2015 11:41:00 +0100 Xen Security team informed via IRC that vulnerability is now public at http://venom.crowdstrike.com/. Wed, 13 May 2015 11:16:02 +0000 Public disclosure. This was slightly ahead of the timeline indicated during predisclosure since the discoverer had already gone public earlier in the day. This highlighted a need to confirm precise details of the embargo (time as well as date) in cases where the discoverer initially only specifies a date. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |