Date: Tue, 8 Apr 2014 00:05:25 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 On Mon, Apr 07, 2014 at 01:56:27PM -0700, Reed Loden wrote: > I just asked around on IRC, and one of the Ubuntu guys said they didn't > get any prior notification of this, so fixed packages won't be out > until tomorrow at the earliest (for Ubuntu). Nor Debian neither Suse were aware either. > > Was this not coordinated with the distros at all? If not, that seems > like major fail on the reporters and NCSC-FI's part. :/ > There was a mail from Red Hat on monday morning (CEST) with no detail and a CRD to april 9th. It seems OpenSSL advisory came a bit uncoordinated, actually, which (it seems) triggered the release of the heartbeat and cloudfare posts, as well as the Red Hat one here. Regards, -- Yves-Alexis Perez Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ