Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Apr 2014 00:05:25 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information
 disclosure CVE-2014-0160

On Mon, Apr 07, 2014 at 01:56:27PM -0700, Reed Loden wrote:
> I just asked around on IRC, and one of the Ubuntu guys said they didn't
> get any prior notification of this, so fixed packages won't be out
> until tomorrow at the earliest (for Ubuntu).

Nor Debian neither Suse were aware either.
> 
> Was this not coordinated with the distros at all? If not, that seems
> like major fail on the reporters and NCSC-FI's part. :/
> 

There was a mail from Red Hat on monday morning (CEST) with no detail
and a CRD to april 9th. It seems OpenSSL advisory came a bit
uncoordinated, actually, which (it seems) triggered the release of the
heartbeat and cloudfare posts, as well as the Red Hat one here.

Regards,
-- 
Yves-Alexis Perez

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ