possible rsync validation dos vuln

Nick Hilliard nick at foobar.org
Fri Oct 29 16:28:27 UTC 2021

Barry Greene wrote on 29/10/2021 13:15:
> "The NCSC will try to resolve the security problem that you have 
> reported in a system within 60 days. Once the problem has been resolved, 
> we will decide in consultation whether and how details will be published.”
> I would have expected you to council the researchers on responsible 
> disclosure principles.

there's a public statement about this from NCSC-NL:

> https://www.ncsc.nl/actueel/nieuws/2021/oktober/29/aanstaande-bekendmaking-cvd-procedure-rpki

"In dit proces is een afweging gemaakt om de ontwikkelaar van 
RPKI-client pas later te informeren. Deze afweging is gemaakt op basis 
van het publieke standpunt van deze ontwikkelaars, namelijk steun voor 
‘full disclosure’. De ontwikkelaars van RPKI-client hebben het NCSC 
laten weten dat zij niet akkoord gaan met betrokkenheid onder embargo."

"During this process, a decision was made to inform the developer of 
RPKI-client at a later stage.  This decision was made on the basis of 
the public standpoint of these developers, namely support for 'full 
disclosure.  The developers of RPKI-client have let the NCSC know that 
they do not agree with involvement under embargo."

Looks like the NCSC got confused about OpenBSD's internal security vuln 
management  process, which involves full disclosure on their terms, and 
the way they operate with disclosures from third parties / multiparty 
engagement, which involves co-operation with the disclosing party / CERT 
about mutually acceptable terms, including co-ordinated disclosure, i.e. 
standard industry practice.  Some public clarity from the openbsd people 
would help here.

+ there was a screwup with the rcynic developers.

It's a bit much to claim that the openbsd (+ rcynic) people didn't agree 
with involvement under embargo when the terms were apparently: we're 
releasing details in 4 days and will only tell you what the problem is 
if you agree to this.

Regardless of how this misunderstanding came about, this style of 
approach doesn't form part of an acceptable vulnerability management 


More information about the NANOG mailing list