Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Mar 2015 11:17:47 +0300
From: Solar Designer <>
Cc: Mark J Cox <>
Subject: Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases

Mark -

It was suggested to me off-list that it'd be helpful to publicly specify
not only the date, but also the time (and timezone) of the forthcoming
OpenSSL releases.  Can you?

All -

On Tue, Mar 17, 2015 at 03:00:05AM +0300, Solar Designer wrote:
> I think the limited public info on this should be in here ASAP, hence
> the forward.

References to commits for CVE-2015-0209, CVE-2015-0285, CVE-2015-0288:

Mark's reply:

<@iamamoose> @Sh1bumi those are all "low severity" classification, previously committed issues, which will be included in roll up on Thursday too.

<@iamamoose> @Sp1l As per the security policy, low severity issues (and some moderates) get fixed in public as and when -- those issues are known public
<@iamamoose> @Sp1l CVE-2015-0285 is;a=commit;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0288;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9

On vendor notifications so far:

<iamamoose> Per we've provided details of the #openssl vulns to distros@ vendors on request, also now to LibreSSL.
<@iamamoose> @iamamoose we've also provided details today to Apple and IBM who are not currently distros@ members #openssl

BTW, OpenSSL Security Policy at specifies what kind of
issues the three severity classifications may correspond to.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.