Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150318081747.GA18610@openwall.com>
Date: Wed, 18 Mar 2015 11:17:47 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Mark J Cox <mjc@...hat.com>
Subject: Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases

Mark -

It was suggested to me off-list that it'd be helpful to publicly specify
not only the date, but also the time (and timezone) of the forthcoming
OpenSSL releases.  Can you?

All -

On Tue, Mar 17, 2015 at 03:00:05AM +0300, Solar Designer wrote:
> I think the limited public info on this should be in here ASAP, hence
> the forward.

References to commits for CVE-2015-0209, CVE-2015-0285, CVE-2015-0288:

https://twitter.com/Sh1bumi/status/577904223444168704

Mark's reply:

<@iamamoose> @Sh1bumi those are all "low severity" classification, previously committed issues, which will be included in roll up on Thursday too.

<@iamamoose> @Sp1l As per the security policy, low severity issues (and some moderates) get fixed in public as and when -- those issues are known public
<@iamamoose> @Sp1l CVE-2015-0285 is https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0288 https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9

On vendor notifications so far:

<iamamoose> Per https://www.openssl.org/about/secpolicy.html we've provided details of the #openssl vulns to distros@ vendors on request, also now to LibreSSL.
<@iamamoose> @iamamoose we've also provided details today to Apple and IBM who are not currently distros@ members #openssl

BTW, OpenSSL Security Policy at
https://www.openssl.org/about/secpolicy.html specifies what kind of
issues the three severity classifications may correspond to.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.