Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Mar 2015 11:17:47 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Mark J Cox <mjc@...hat.com>
Subject: Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases

Mark -

It was suggested to me off-list that it'd be helpful to publicly specify
not only the date, but also the time (and timezone) of the forthcoming
OpenSSL releases.  Can you?

All -

On Tue, Mar 17, 2015 at 03:00:05AM +0300, Solar Designer wrote:
> I think the limited public info on this should be in here ASAP, hence
> the forward.

References to commits for CVE-2015-0209, CVE-2015-0285, CVE-2015-0288:

https://twitter.com/Sh1bumi/status/577904223444168704

Mark's reply:

<@...amoose> @Sh1bumi those are all "low severity" classification, previously committed issues, which will be included in roll up on Thursday too.

<@...amoose> @Sp1l As per the security policy, low severity issues (and some moderates) get fixed in public as and when -- those issues are known public
<@...amoose> @Sp1l CVE-2015-0285 is https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0288 https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9

On vendor notifications so far:

<iamamoose> Per https://www.openssl.org/about/secpolicy.html we've provided details of the #openssl vulns to distros@ vendors on request, also now to LibreSSL.
<@...amoose> @iamamoose we've also provided details today to Apple and IBM who are not currently distros@ members #openssl

BTW, OpenSSL Security Policy at
https://www.openssl.org/about/secpolicy.html specifies what kind of
issues the three severity classifications may correspond to.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ