Date: Wed, 18 Mar 2015 11:17:47 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Mark J Cox <mjc@...hat.com> Subject: Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases Mark - It was suggested to me off-list that it'd be helpful to publicly specify not only the date, but also the time (and timezone) of the forthcoming OpenSSL releases. Can you? All - On Tue, Mar 17, 2015 at 03:00:05AM +0300, Solar Designer wrote: > I think the limited public info on this should be in here ASAP, hence > the forward. References to commits for CVE-2015-0209, CVE-2015-0285, CVE-2015-0288: https://twitter.com/Sh1bumi/status/577904223444168704 Mark's reply: <@iamamoose> @Sh1bumi those are all "low severity" classification, previously committed issues, which will be included in roll up on Thursday too. <@iamamoose> @Sp1l As per the security policy, low severity issues (and some moderates) get fixed in public as and when -- those issues are known public <@iamamoose> @Sp1l CVE-2015-0285 is https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0288 https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9 On vendor notifications so far: <iamamoose> Per https://www.openssl.org/about/secpolicy.html we've provided details of the #openssl vulns to distros@ vendors on request, also now to LibreSSL. <@iamamoose> @iamamoose we've also provided details today to Apple and IBM who are not currently distros@ members #openssl BTW, OpenSSL Security Policy at https://www.openssl.org/about/secpolicy.html specifies what kind of issues the three severity classifications may correspond to. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.