Date: Mon, 7 Apr 2014 14:00:53 -0700 From: Alex Gaynor <alex.gaynor@...il.com> To: oss-security@...ts.openwall.com Subject: Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 To my knowledge, the OpenSSL team does not maintain a pre-notification list of any sort (I maintain a library which critically depends on OpenSSL and we investigated getting on to such a list). Alex On Mon, Apr 7, 2014 at 1:56 PM, Reed Loden <reed@...dloden.com> wrote: > I just asked around on IRC, and one of the Ubuntu guys said they didn't > get any prior notification of this, so fixed packages won't be out > until tomorrow at the earliest (for Ubuntu). > > Was this not coordinated with the distros at all? If not, that seems > like major fail on the reporters and NCSC-FI's part. :/ > > 2c, > ~reed > > On Mon, 7 Apr 2014 21:43:46 +0200 > Tomas Hoger <thoger@...hat.com> wrote: > > > Hi! > > > > There's a new OpenSSL release 1.0.1g that fixes information leak issue: > > > > http://www.openssl.org/news/secadv_20140407.txt > > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902 > > http://heartbleed.com/ > > > > -- > > Tomas Hoger / Red Hat Security Response Team > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ