Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Mar 2015 09:40:53 +0100
From: Christian Rebischke <>
Subject: Re: Fwd: [openssl-announce] Forthcoming OpenSSL

I should mention that I forgot to include one CVE in my tweet: CVE-2015-0291.
I am not sure if this CVE has high severity or is low, but should be according
to openssl bug guideline 'high'. Seems so that this CVE is a Dos vulnerability:

@Sh1bumi @ArneBab @hynek I have working exploit for upcoming CVE-2015-0291 1.0.2
server DoS. As far as I know not active in wild.

@ramosbugs alias <David Ramos> is the bug reporter of CVE-2015-0291.

So, as far I know, there are 4 openssl CVEs:

CVE-2015-0209, CVE-2015-0285, CVE-2015-0288 and CVE-2015-0291

Are these all CVEs or are there any other currently reserved high rated CVEs?

best regards,

Christian Rebischke

Website    :
Twitter    : @sh1bumi
Jabber     :
PGP        : 0x8D8172C8
Fingerprint: A224 6F57 FD0A AC81 3971 EEBE 5EDA 916B 3A2A 7C49

On Wed, Mar 18, 2015 at 11:17:47AM +0300, Solar Designer wrote:
> Mark -
> It was suggested to me off-list that it'd be helpful to publicly specify
> not only the date, but also the time (and timezone) of the forthcoming
> OpenSSL releases.  Can you?
> All -
> On Tue, Mar 17, 2015 at 03:00:05AM +0300, Solar Designer wrote:
> > I think the limited public info on this should be in here ASAP, hence
> > the forward.
> References to commits for CVE-2015-0209, CVE-2015-0285, CVE-2015-0288:
> Mark's reply:
> <@iamamoose> @Sh1bumi those are all "low severity" classification, previously committed issues, which will be included in roll up on Thursday too.
> <@iamamoose> @Sp1l As per the security policy, low severity issues (and some moderates) get fixed in public as and when -- those issues are known public
> <@iamamoose> @Sp1l CVE-2015-0285 is;a=commit;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0288;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9
> On vendor notifications so far:
> <iamamoose> Per we've provided details of the #openssl vulns to distros@ vendors on request, also now to LibreSSL.
> <@iamamoose> @iamamoose we've also provided details today to Apple and IBM who are not currently distros@ members #openssl
> BTW, OpenSSL Security Policy at
> specifies what kind of
> issues the three severity classifications may correspond to.
> Alexander

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ