Nessus is labeling the severity as medium
Dr Paul Dale
pauli at openssl.org
Tue Apr 4 23:06:19 UTC 2023
I was discussing CVE-2023-0466 which seemed to be the relevant one.
Looking again, the table you included isn't overly clear (to me at
least) what it's referring to.
Dr Paul Dale
On 5/4/23 09:02, Dr Paul Dale wrote:
> We do not have a firm release date for 1.1.1u at this point. As per
> our policy, LOW severity CVE are not release triggering and this one
> is considered LOW severity by the project. Baring other
> eventualities, three months is a likely time frame.
> I'll note that the issue here was in the documentation and that the
> fix is purely a documentation change. This change is already
> available online on our web site:
> Dr Paul Dale
> On 4/4/23 23:16, Joslin, Jack via openssl-users wrote:
>> When will OpenSSL 1.1.1u be released?
>> Tenable indicates the vulnerability severity of 1.1.1t as medium. I
>> found this post indicating that there is no ETA on the release of
>> OpenSSL 1.1.1u and that it may not be released for 3 months.
>> OpenSSL Security Advisory
>> From Nessus/Tenable scan:
>> Plugin Plugin Name Severity Plugin Output Solution Risk Factor CVE
>> 173260 OpenSSL 1.1.1 < 1.1.1u Multiple Vulnerabilities Medium
>> Plugin Output:
>> Banner: Apache/2.4.56 (Unix) OpenSSL/1.1.1t mod_perl/2.0.9 Perl/v5.8.8
>> Reported version : 1.1.1t
>> Fixed version: 1.1.1u Upgrade to OpenSSL version 1.1.1u or later.
>> Medium CVE-2023-0464, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
>> Jack Joslin
>> Business Services Outsourcing Center (BSOC)
>> General Dynamics, Information Technology
>> 327 Columbia Turnpike, Rensselaer, NY 12144
>> jack.joslin at gdit.com
>> m: +1.321.431.5117
>> Follow us on Facebook <http://www.facebook.com/OfficialCSRA> |
>> Twitter <http://www.twitter.com/csra_inc> | LinkedIn
>> This electronic message transmission contains information from GDIT
>> which may be attorney-client privileged, proprietary or confidential.
>> The information in this message is intended only for use by the
>> individual(s) to whom it is addressed. If you believe you have
>> received this message in error, please contact me immediately and be
>> aware that any use, disclosure, copying or distribution of the
>> contents of this message is strictly prohibited. NOTE: Regardless of
>> content, this e-mail shall not operate to bind GDIT to any order or
>> other contract unless pursuant to explicit written agreement or
>> government initiative expressly permitting the use of e-mail for such
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users