OpenSSL Security Advisory
rsbecker at nexbridge.com
rsbecker at nexbridge.com
Thu Mar 23 14:14:08 UTC 2023
On Thursday, March 23, 2023 9:56 AM, Tomas Mraz wrote:
>On Thu, 2023-03-23 at 09:45 -0400, rsbecker at nexbridge.com wrote:
>> On Thursday, March 23, 2023 3:40 AM, Tomas Mraz wrote:
>> > To: rsbecker at nexbridge.com; openssl-users
>> > <openssl-users at openssl.org> On Wed, 2023-03-22 at 15:12 -0400,
>> > rsbecker at nexbridge.com wrote:
>> > > On Wednesday, March 22, 2023 11:50 AM Tomas Mraz wrote:
>> > > <snip>
>> > > > OpenSSL 3.1 users should upgrade to 3.1.1.
>> > > > OpenSSL 3.0 users should upgrade to 3.0.9.
>> > > > OpenSSL 1.1.1 users should upgrade to 1.1.1u.
>> > > > OpenSSL 1.0.2 users should upgrade to 1.0.2zh (premium support
>> > > > customers
>> > > only).
>> > >
>> > > Is there an ETA for 3.1.1, 3.0.9, 1.1.1u in the github repo?
>> >
>> > There is no ETA for the next releases. Unless there is any issue of
>> > severity higher than Low we usually do a release in 3 months after
>> > the previous patch release.
>>
>> Thanks. I was confused by the phrasing of the above, regarding
>> upgrading to the new releases that are not in the repo.
>
>There is the `Once they are released:` paragraph just before these sentences.
>Perhaps that is too confusing and we should simply drop these sentences from the
>Low advisories?
Might be a good idea. I guess I just read through it. Problem is that security advisories trigger action and review in my organization - a good thing, but we have to modify the response to differentiate when releases are not available.
Thanks,
Randall
More information about the openssl-users
mailing list