Nessus is labeling the severity as medium

Dr Paul Dale pauli at openssl.org
Tue Apr 4 23:02:17 UTC 2023 

We do not have a firm release date for 1.1.1u at this point.  As per our 
policy, LOW severity CVE are not release triggering and this one is 
considered LOW severity by the project.  Baring other eventualities, 
three months is a likely time frame.

I'll note that the issue here was in the documentation and that the fix 
is purely a documentation change.  This change is already available 
online on our web site:

https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html


Dr Paul Dale

On 4/4/23 23:16, Joslin, Jack via openssl-users wrote:
> Hello,
>
> When will OpenSSL 1.1.1u be released?
>
> Tenable indicates the vulnerability severity of 1.1.1t as medium. I 
> found this post indicating that there is no ETA on the release of 
> OpenSSL 1.1.1u and that it may not be released for 3 months.
>
> OpenSSL Security Advisory 
> <https://mta.openssl.org/pipermail/openssl-users/2023-March/016106.html>
>
> From Nessus/Tenable scan:
>
> Plugin 	Plugin Name 	Severity 	Plugin Output 	Solution 	Risk Factor 	CVE
> 173260 	OpenSSL 1.1.1 < 1.1.1u Multiple Vulnerabilities 	Medium 
> Plugin Output:
> Banner: Apache/2.4.56 (Unix) OpenSSL/1.1.1t mod_perl/2.0.9 Perl/v5.8.8
> Reported version : 1.1.1t
> Fixed version: 1.1.1u 	Upgrade to OpenSSL version 1.1.1u or later. 
> Medium 	CVE-2023-0464, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
>
>
> Regards,
> Jack Joslin
>
> Business Services Outsourcing Center (BSOC)
>
> General Dynamics, Information Technology
>
> 327 Columbia Turnpike, Rensselaer, NY 12144
>
> jack.joslin at gdit.com
>
> m: +1.321.431.5117
>
> Follow us on Facebook <http://www.facebook.com/OfficialCSRA> | Twitter 
> <http://www.twitter.com/csra_inc> | LinkedIn 
> <http://www.linkedin.com/company/csra_inc>
>
> This electronic message transmission contains information from GDIT 
> which may be attorney-client privileged, proprietary or confidential. 
>  The information in this message is intended only for use by the 
> individual(s) to whom it is addressed.  If you believe you have 
> received this message in error, please contact me immediately and be 
> aware that any use, disclosure, copying or distribution of the 
> contents of this message is strictly prohibited. NOTE: Regardless of 
> content, this e-mail shall not operate to bind GDIT to any order or 
> other contract unless pursuant to explicit written agreement or 
> government initiative expressly permitting the use of e-mail for such 
> purpose
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230405/8a99fbfc/attachment.htm>

More information about the openssl-users mailing list