Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Mar 2015 09:40:53 +0100
From: Christian Rebischke <chris.rebischke@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Fwd: [openssl-announce] Forthcoming OpenSSL
 releases

Hello,
I should mention that I forgot to include one CVE in my tweet: CVE-2015-0291.
I am not sure if this CVE has high severity or is low, but should be according
to openssl bug guideline 'high'. Seems so that this CVE is a Dos vulnerability:

https://twitter.com/ramosbugs/status/577935589397278720

@Sh1bumi @ArneBab @hynek I have working exploit for upcoming CVE-2015-0291 1.0.2
server DoS. As far as I know not active in wild.

@ramosbugs alias <David Ramos> is the bug reporter of CVE-2015-0291.

So, as far I know, there are 4 openssl CVEs:

CVE-2015-0209, CVE-2015-0285, CVE-2015-0288 and CVE-2015-0291

Are these all CVEs or are there any other currently reserved high rated CVEs?

best regards,

--------------------------------------------------------------
Christian Rebischke

Website    : www.nullday.de
Twitter    : @sh1bumi
Jabber     : shibumi@...ber.ccc.de
PGP        : 0x8D8172C8
Fingerprint: A224 6F57 FD0A AC81 3971 EEBE 5EDA 916B 3A2A 7C49
--------------------------------------------------------------

On Wed, Mar 18, 2015 at 11:17:47AM +0300, Solar Designer wrote:
> Mark -
> 
> It was suggested to me off-list that it'd be helpful to publicly specify
> not only the date, but also the time (and timezone) of the forthcoming
> OpenSSL releases.  Can you?
> 
> All -
> 
> On Tue, Mar 17, 2015 at 03:00:05AM +0300, Solar Designer wrote:
> > I think the limited public info on this should be in here ASAP, hence
> > the forward.
> 
> References to commits for CVE-2015-0209, CVE-2015-0285, CVE-2015-0288:
> 
> https://twitter.com/Sh1bumi/status/577904223444168704
> 
> Mark's reply:
> 
> <@iamamoose> @Sh1bumi those are all "low severity" classification, previously committed issues, which will be included in roll up on Thursday too.
> 
> <@iamamoose> @Sp1l As per the security policy, low severity issues (and some moderates) get fixed in public as and when -- those issues are known public
> <@iamamoose> @Sp1l CVE-2015-0285 is https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0288 https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9
> 
> On vendor notifications so far:
> 
> <iamamoose> Per https://www.openssl.org/about/secpolicy.html we've provided details of the #openssl vulns to distros@ vendors on request, also now to LibreSSL.
> <@iamamoose> @iamamoose we've also provided details today to Apple and IBM who are not currently distros@ members #openssl
> 
> BTW, OpenSSL Security Policy at
> https://www.openssl.org/about/secpolicy.html specifies what kind of
> issues the three severity classifications may correspond to.
> 
> Alexander

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.