[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Uncontrolled disclosure of advisories XSA-26 to XSA-32

We just sent the message below to the security advisory predisclosure
list, relating to the release of XSA-26 to XSA-32.  As you will see,
these have now been publicly released.

We'll have a proper conversation about this in a week or two.

Thanks for your attention,
Ian.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We regret to announce that a member of the predisclosure list
discovered today that they had failed to abort their disclosure
process in response to the embargo extension for XSA-26 to XSA-32.
The information in XSA-26 to XSA-32 has been publicly available since
at least Friday the 30th of November.

They reported the situation to us.  Under the circumstances we must
regard the embargo as at an end.  All members of the predisclosure
list are advised to publish and deploy their updates for XSA-26 to
XSA-32 inclusive as soon as they are able to do so.

Updated versions of XSA-26 to XSA-32, stating that they are now
public, will be sent out shortly - both to the predisclosure list and
to the public lists, according to the usual process.

As usual when we have had difficulties with the process the Xen.org
security team will conduct a full post mortem.  The post mortem will
consider the decision to extend the embargo, as well as the decision
now to regard the embargo as over.  As before, to allow members of the
community to concentrate entirely on patching their systems right now,
we will delay starting that conversation until at least Thursday the
13th of December.

Xen.org security team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQvOEHAAoJEIP+FMlX6CvZpGUIAKx0W9bSoUiywC7B3WXhcvfO
Zl+7D60p8w6FjZRD/YU04r4AYblg1nKGI6zlROXtbjj8UyFCtHglYPAnNfJKmV4C
nyKHtg8iuiNV6zPYlEoU7rLAu4QwN/dFRmMOFAQr2Qilxu7D12e8vM1jP79c5lU6
w0ujSnJZxnrVTn/sZiOS1SgHsy7MVAyglOYFl4tT+LYbuxUl/G4QpccpM4ilJ7CC
ELXQtfyQcvEzXQuWB9fTUS+0d+1ilx8ASXhnnHZtT+juxp/s6AXqCJZBbCbTWZDQ
9T0qrur96marKTK15XilPQN3XgoCQrZgLccndDpmIq9HBTx3tSLyrB9EbTF+5WY=
=Dd4h
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.