February 20, 2014

CVE-2104-0081 timeline

Two days ago, a new vulnerability on rails was made public. Since I am subscribed to different mailing lists, and use different security services, I got the information multiple times, and I though it could be interesting to draw a timeline on those alerts, to see which tools/services were faster and how the information flows:


12.Feb.2014 - 02:36 CET - Rafael Modença França commits the fix (private)[1]

14.Feb.2014 - 21:41 CET - RedHat create bugzilla entry (private)[2]

18.Feb.2014 - 17:06 CET - SUSE creates bugzilla entry (private)[3]

18.Feb.2014 - 20:00 CET - Rafael Modença França merges the fix to master[4]
                                         - version 4.1.0.beta2 is released [5]
                                         - version 4.0.3 is released [5]
                                         - version3.2.17 is released [5]

18.Feb.2014 - 20:03 CET - aaron patterson sends email to rubyonrails-security@googlegroups.com, oss-security@lists.openwall.com, secalert@redhat.com[6][7]

18.Feb.2014 - 20:10 CET - redruby.io service sends me an email[8]

18.Feb.2014 - 20:12 CET - aaron patterson sends email to ruby-security-ann@googlegroups.com[9]

18.Feb.2014 - 20:17 CET - Rafael França publishes on weblog.rubyonrails.org [10]

18.Feb.2014 - 20:33 CET - hakiri.io service sends me an email[11]

18.Feb.2014 - 20:36 CET - holepicker adds the security alerts in its database[12]

18.Feb.2014 - 21:06 CET - hacker news publishes in its blog[13]

18.Feb.2014 - 21:38 CET - RedHat removes embargoed[2]

19.Feb.2014 - 03:30 CET - Added to osvdb[14]

19.Feb.2014 - 09:03 CET - SUSE removes embargoed[3]

19.Feb.2014 - 11:49 CET - gemnasium.com sends me an email [15]

20.Feb.2014 - 15:24 CET - ruby weekly publishes the new (ruby weekly is released every Thursday)[16]



[1] https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1065520
[3] https://bugzilla.novell.com/show_bug.cgi?id=864433
[4] https://github.com/rails/rails/commit/1879c259b870938c42d5d52f63123bfa0b8c81c8
[5] http://rubygems.org/gems/rails/versions
[6] https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4
[7] http://www.openwall.com/lists/oss-security/2014/02/18/8
[8] https://www.redruby.io
[9] https://groups.google.com/forum/#!topic/ruby-security-ann/1PWnwW4jRkY
[10] http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/
[11] https://haikiri.io
[12] https://github.com/jsuder/holepicker/commits/master/lib/holepicker/data/data.json
[13] https://www.facebook.com/hnbot
[14] http://osvdb.org/103439
[15] https://gemnasium.com
[16] http://rubyweekly.com



No comments: