Nessus is labeling the severity as medium

Dr Paul Dale pauli at openssl.org
Tue Apr 4 23:06:19 UTC 2023 

I was discussing CVE-2023-0466 which seemed to be the relevant one. 
Looking again, the table you included isn't overly clear (to me at 
least) what it's referring to.

Dr Paul Dale

On 5/4/23 09:02, Dr Paul Dale wrote:
> We do not have a firm release date for 1.1.1u at this point.  As per 
> our policy, LOW severity CVE are not release triggering and this one 
> is considered LOW severity by the project.  Baring other 
> eventualities, three months is a likely time frame.
>
> I'll note that the issue here was in the documentation and that the 
> fix is purely a documentation change.  This change is already 
> available online on our web site:
>
> https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html
>
>
> Dr Paul Dale
>
> On 4/4/23 23:16, Joslin, Jack via openssl-users wrote:
>> Hello,
>>
>> When will OpenSSL 1.1.1u be released?
>>
>> Tenable indicates the vulnerability severity of 1.1.1t as medium. I 
>> found this post indicating that there is no ETA on the release of 
>> OpenSSL 1.1.1u and that it may not be released for 3 months.
>>
>> OpenSSL Security Advisory 
>> <https://mta.openssl.org/pipermail/openssl-users/2023-March/016106.html>
>>
>> From Nessus/Tenable scan:
>>
>> Plugin 	Plugin Name 	Severity 	Plugin Output 	Solution 	Risk Factor 	CVE
>> 173260 	OpenSSL 1.1.1 < 1.1.1u Multiple Vulnerabilities 	Medium 
>> Plugin Output:
>> Banner: Apache/2.4.56 (Unix) OpenSSL/1.1.1t mod_perl/2.0.9 Perl/v5.8.8
>> Reported version : 1.1.1t
>> Fixed version: 1.1.1u 	Upgrade to OpenSSL version 1.1.1u or later. 
>> Medium 	CVE-2023-0464, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
>>
>>
>> Regards,
>> Jack Joslin
>>
>> Business Services Outsourcing Center (BSOC)
>>
>> General Dynamics, Information Technology
>>
>> 327 Columbia Turnpike, Rensselaer, NY 12144
>>
>> jack.joslin at gdit.com
>>
>> m: +1.321.431.5117
>>
>> Follow us on Facebook <http://www.facebook.com/OfficialCSRA> | 
>> Twitter <http://www.twitter.com/csra_inc> | LinkedIn 
>> <http://www.linkedin.com/company/csra_inc>
>>
>> This electronic message transmission contains information from GDIT 
>> which may be attorney-client privileged, proprietary or confidential. 
>>  The information in this message is intended only for use by the 
>> individual(s) to whom it is addressed.  If you believe you have 
>> received this message in error, please contact me immediately and be 
>> aware that any use, disclosure, copying or distribution of the 
>> contents of this message is strictly prohibited. NOTE: Regardless of 
>> content, this e-mail shall not operate to bind GDIT to any order or 
>> other contract unless pursuant to explicit written agreement or 
>> government initiative expressly permitting the use of e-mail for such 
>> purpose
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230405/9fcbe185/attachment.htm>

More information about the openssl-users mailing list