Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Mar 2015 11:17:47 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Mark J Cox <mjc@...hat.com>
Subject: Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases

Mark -

It was suggested to me off-list that it'd be helpful to publicly specify
not only the date, but also the time (and timezone) of the forthcoming
OpenSSL releases.  Can you?

All -

On Tue, Mar 17, 2015 at 03:00:05AM +0300, Solar Designer wrote:
> I think the limited public info on this should be in here ASAP, hence
> the forward.

References to commits for CVE-2015-0209, CVE-2015-0285, CVE-2015-0288:

https://twitter.com/Sh1bumi/status/577904223444168704

Mark's reply:

<@iamamoose> @Sh1bumi those are all "low severity" classification, previously committed issues, which will be included in roll up on Thursday too.

<@iamamoose> @Sp1l As per the security policy, low severity issues (and some moderates) get fixed in public as and when -- those issues are known public
<@iamamoose> @Sp1l CVE-2015-0285 is https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0288 https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9

On vendor notifications so far:

<iamamoose> Per https://www.openssl.org/about/secpolicy.html we've provided details of the #openssl vulns to distros@ vendors on request, also now to LibreSSL.
<@iamamoose> @iamamoose we've also provided details today to Apple and IBM who are not currently distros@ members #openssl

BTW, OpenSSL Security Policy at
https://www.openssl.org/about/secpolicy.html specifies what kind of
issues the three severity classifications may correspond to.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.