From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Daley Subject: Re: [oss-security] Re: Xen Security Advisory 82 (CVE-2013-6885) - Guest triggerable AMD CPU erratum may cause host hang Date: Tue, 3 Dec 2013 11:43:19 +1300 Message-ID: References: <21148.49637.13497.191457@mariner.uk.xensource.com> <529CCE8C.6010005@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <529CCE8C.6010005@redhat.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: oss-security@lists.openwall.com Cc: "Xen.org security team" , Xen-devel List-Id: xen-devel@lists.xenproject.org On Tue, Dec 3, 2013 at 7:16 AM, Kurt Seifried wrote: > On 12/02/2013 10:22 AM, Ian Jackson wrote: >> * Should the Xen Project security te4am have treated this issue >> with an embargo at all, given that the flaw itself was public ? > > I would say this depends on the level of public disclosure. For > example from "upstream" (AMD) there was a very limited disclosure (no > public announcement I'm aware of) and just some notes in a single PDF. > However this was also made public via the person who found it and then > picked up by ZDnet in an article, so I would personally count that as > quite public. Can you post a link to this ZDnet article? I don't think it can be the one linked in the CVE description itself, because that talks about a different, earlier bug IIUC; I privately asked Matt Dillon, who discovered Errata 721, and he agreed that this CVE talks about a different (but maybe related) Errata, #793. - Matthew