[openssl-dev] On release pre announcements

[Hanno Böck]

Hi,

In light of the last "Forthcoming OpenSSL release" I have two
suggestions:

First would it be possible to have not only a date, but also a
timeframe (maybe an hour + timezone info!) for when releases and
security announcements are expected to go public?

And second I wonder if OpenSSL needs another severity category. The
last announcement says tere is a "high" severity security defect to be
expected. If I look at the match advisory there were two "high" vulns:
https://www.openssl.org/news/secadv_20150319.txt

One was a server DoS (you could probably crash a server) and the other
was FREAK (which only affected substandard configurations doing things
nobody should've done anyway).
Now judging by the gold standard of severe OpenSSL vulns (aka
Heartbleed) these aren't really super-worrying issues. Sure they need
to be patched and fixed. But what I really want to know in advance is
whether I have to stop anything I'm doing and patch my server
immediately because if I don't before the first PoCs come out I may be
in trouble.
So may I propose another category that includes only data exfiltration,
remote code execution or severe crypto breaks on reasonable default
configurations?


cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150708/9da20830/attachment.sig>