Nessus is labeling the severity as medium
ethan.rahn at gmail.com
Wed Apr 5 03:02:23 UTC 2023
Every PM should have an exception process where you can give them a
statement about why it is not a problem for your application. I expect they
are trying to get out of filing paperwork.
Don't let policy get in the way of reality. Back in the days of blockchain
being hip there was a thought experiment: You work for a company that uses
the blockchain to manage all it's shipments. The blockchain cannot be
tampered with so it is accurate. If one day you receive a box the
blockchain labeled as "bananas" and it is filled with batteries, what do
you do? Do you eat the batteries for potassium?
On Tue, Apr 4, 2023 at 5:24 PM Michael Mueller <abaci.mjm at gmail.com> wrote:
> CVE-2023-0464 has a base score of 7.5 and base severity of HIGH in the NVD
> That score and the description of the problem are misaligned in my opinion
> (meaning, I agree with the LOW severity - our app is not affected).
> But there are project managers in our organization that use NVD as the
> reference, and seeing the HIGH, are requiring a 30 day remediation deadline.
> Us devs are caught in the middle.
> Best regards and thanks for all you do,
> Mike Mueller
> On Tue, Apr 4, 2023 at 7:06 PM Dr Paul Dale <pauli at openssl.org> wrote:
>> I was discussing CVE-2023-0466 which seemed to be the relevant one.
>> Looking again, the table you included isn't overly clear (to me at least)
>> what it's referring to.
>> Dr Paul Dale
>> On 5/4/23 09:02, Dr Paul Dale wrote:
>> We do not have a firm release date for 1.1.1u at this point. As per our
>> policy, LOW severity CVE are not release triggering and this one is
>> considered LOW severity by the project. Baring other eventualities, three
>> months is a likely time frame.
>> I'll note that the issue here was in the documentation and that the fix
>> is purely a documentation change. This change is already available online
>> on our web site:
>> Dr Paul Dale
>> On 4/4/23 23:16, Joslin, Jack via openssl-users wrote:
>> When will OpenSSL 1.1.1u be released?
>> Tenable indicates the vulnerability severity of 1.1.1t as medium. I found
>> this post indicating that there is no ETA on the release of OpenSSL 1.1.1u
>> and that it may not be released for 3 months.
>> OpenSSL Security Advisory
>> From Nessus/Tenable scan:
>> Plugin Plugin Name Severity Plugin Output Solution Risk Factor CVE
>> 173260 OpenSSL 1.1.1 < 1.1.1u Multiple Vulnerabilities Medium Plugin
>> Banner : Apache/2.4.56 (Unix) OpenSSL/1.1.1t mod_perl/2.0.9
>> Reported version : 1.1.1t
>> Fixed version : 1.1.1u Upgrade to OpenSSL version 1.1.1u or later.
>> Medium CVE-2023-0464, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
>> Jack Joslin
>> Business Services Outsourcing Center (BSOC)
>> General Dynamics, Information Technology
>> 327 Columbia Turnpike, Rensselaer, NY 12144
>> jack.joslin at gdit.com
>> m: +1.321.431.5117
>> Follow us on Facebook <http://www.facebook.com/OfficialCSRA> | Twitter
>> <http://www.twitter.com/csra_inc> | LinkedIn
>> This electronic message transmission contains information from GDIT which
>> may be attorney-client privileged, proprietary or confidential. The
>> information in this message is intended only for use by the individual(s)
>> to whom it is addressed. If you believe you have received this message in
>> error, please contact me immediately and be aware that any use, disclosure,
>> copying or distribution of the contents of this message is strictly
>> prohibited. NOTE: Regardless of content, this e-mail shall not operate to
>> bind GDIT to any order or other contract unless pursuant to explicit
>> written agreement or government initiative expressly permitting the use of
>> e-mail for such purpose
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users