[openssl-dev] On release pre announcements
Martin Hecht
hecht at hlrs.de
Fri Jul 10 09:06:45 UTC 2015
On 07/09/2015 09:06 PM, Salz, Rich wrote:
> Perhaps something like the CVE vectors, that others have suggested?
> https://nvd.nist.gov/CVSS/Vector-v2.aspx
>
> It's (a bit?) extra work while getting the release out, so it would be good to hear enthusiastic support for this :)
Yes, this would be very helpful.
Also, in this particular case, the following piece of information (and
especially your clarification) would have been useful if it were
included in the pre-announcement (but maybe the heads-up was a bit fuzzy
on purpose, with the intention not to point attackers to the exact
location of the bug in the source?):
Subject: Re: [openssl-users] [openssl-dev] OpenSSL Security Advisory
Date: Thu, 9 Jul 2015 13:13:30 +0000
From: Salz, Rich <rsalz at akamai.com>
Reply-To: openssl-users at openssl.org
To: openssl-dev at openssl.org <openssl-dev at openssl.org>, OpenSSL User
Support ML <openssl-users at openssl.org>
> This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
In other words, if you are not using those specific releases -- i.e.,
the ones that came out less than 30 days ago -- you do not need to upgrade.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150710/372fbbed/attachment.html>
More information about the openssl-dev
mailing list