It’s now been a bit more than two months since OpenDaylight dealt with the the “netdump” vulnerability reported in August. The good news then was that we fixed the vulnerability and we were able to fix it and ship a new release of ODL with the fix in four days once we knew about the vulnerability. I want to echo Dave Meyer’s comments in saying just how impressive that is and how well the OpenDaylight community comes together when something needs to be done. The list is much longer than this, but in particular, Robert Varga and David Jorm were absolutely critical in pushing things through quickly and efficiently.
The bad news then, was that there was about a 4.5 month lag between when the vulnerability was discovered and and when we found out about it. However, the even better news now (and really this all happened over a month ago, but I haven’t had time to blog about) is that we have a bunch of new things in place that will prevent that kind of lag in our responding in the future. Some of them have even been covered elsewhere.