[Full-disclosure] CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
advisories at vsecurity.com
Tue Mar 27 20:18:33 BST 2012
As a researcher, I find the distros list a useful resource to enable quick and
simultaneous notification of many open source OS distributions.
> When it became apparent that this was to be violated since one or two of
> the affected upstreams wanted much more time, the reporter (Timothy D.
> Morgan of VSR Security) explained that at the time of his initial
> notification he had thought that 14 days would in fact be enough. While
> this sounds like a rather fundamental problem with a maximum embargo time
> policy (it is always possible that something new is discovered during
> discussion, which may invalidate the initial time estimate of the
> reporter), I've just added the following verbiage to hopefully reduce the
> number of such occurrences going forward:
> "If you have not yet notified upstream projects/developers of the affected
> software, other affected distro vendors, and/or affected Open Source
> projects, you may want to do so before notifying one of these mailing
> lists in order to ensure that these other parties are OK with the maximum
> embargo period that would apply (and if not, then you may have to delay
> your notification to the mailing list), unless you're confident you'd
> choose to ignore their preference anyway and disclose the issue publicly
> soon as per the policy stated here."
I think this is a good idea. I likely misunderstood the process you want
researchers to follow when it comes to using the distros list. While I think
the time to release for this issue was excessive, I should have nailed down a
release date with the upstreams prior to notifying the distros list.
I'll reserve some additional comments for the oss-security list exclusively.
Full-Disclosure is hosted and sponsored by Secunia.