[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [SECURITY] XSA-133 Retrospective.

A member of the security predisclosure list has asked that the security
team publish a time line relating to the short predisclosure period in
this case.

The final disclosure is at http://xenbits.xen.org/xsa/advisory-133.html

While the Xen Security policy[0] sets out various defaults it ultimately
hands control of the predisclosure and disclosure timings to the
discoverer. In this case this had been determined prior to disclosure to
the Xen security team.

In addition in this case the vulnerability was in a 3rd party
component (QEMU) with their own security team ("upstream security
team") to whom the discoverer had already/simultaneously disclosed the
issue. For reference the QEMU security process is at [1]. As such the
Xen security team deferred to the upstream security team in the
creation of the fix.

[0] http://www.xenproject.org/security-policy.html
[1] http://wiki.qemu.org/SecurityProcess


Thu, 30 Apr 2015 21:21:31 +0000

        Disclosure of issue to security@xxxxxxx by crowdstrike.com
        ("the discoverer"). Was disclosed to others (upstream security
        team, Oracle, Operating System Distribution Security
        (oss-security) list) at the same time and due to the policies
        of oss-security the embargo deadline was already fixed by the
        discoverer as May 13th, 2015.

Fri, 1 May 2015 16:25:57 +0100

        security@ brought into the loop with the upstream security
        team, preempting the Xen security contacting them under policy
        3.d. An initial patch to workaround the issue (by disabling
        the fdc entirely) was proposed however this was deemed to be
        unsuitable by the upstream security team.

Tue, 5 May 2015 14:18:39 +0200

        An initial version of a patch to fix (rather than workaround)
        the issue proposed by the upstream security team.

Wed, 6 May 2015 14:10:52 +0100

        Xen team inquired regarding status of patches: patch from Tue,
        5 May 2015 14:18:39 +0200 is still the latest.  Upon informal
        request by a Xen security team member, upstream security team
        member could not confirm whether the patch was final.

Thu, 7 May 2015 11:06:29 +0100

        security@xxxxxxx contacts the discoverer to request permission
        to predisclose to our xen-security-issues predisclosure list.

Thu, 7 May 2015 11:56:41 +0100

        First draft of advisory circulated to security@

Thu, 7 May 2015 15:19:20 +0100

        Upstream security team member sends an update of the patch to

Thu, 7 May 2015 15:13:08 +0000

        The discoverer confirms that they are happy for us to
        predisclose on Monday (2015-05-11), subject to an embargo
        until 13th.

Mon, 11 May 2015 11:28:31 +0000

        Second draft of advisory containing updated patches from Thu,
        7 May 2015 15:19:20 +0100 circulated to security@ and the

Mon, 11 May 2015 17:13:37 +0000

        The discoverer sends email saying they are reviewing and
        promises feedback.

Mon, 11 May 2015 17:14:09 +0000

        Xen Security Team member signs v1 advisory and initiates
        release process.

Mon, 11 May 2015 17:14:26 +0000

        Mail from the discoverer received on workstation of Security
        Team member.

Mon, 11 May 2015 17:14:32 +0000

        Predisclosure goes to the xen-security-issues list.

Mon, 11 May 2015 18:14:32 +0000

        The discoverer sends confirmation and minor feedback on
        earlier draft advisory.

Wed, 13 May 2015 11:41:00 +0100

        Xen Security team informed via IRC that vulnerability is now
        public at http://venom.crowdstrike.com/.

Wed, 13 May 2015 11:16:02 +0000

        Public disclosure. This was slightly ahead of the timeline
        indicated during predisclosure since the discoverer had
        already gone public earlier in the day.

        This highlighted a need to confirm precise details of the
        embargo (time as well as date) in cases where the discoverer
        initially only specifies a date.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.