<div dir="ltr">Every PM should have an exception process where you can give them a statement about why it is not a problem for your application. I expect they are trying to get out of filing paperwork.<div><br></div><div>Don't let policy get in the way of reality. Back in the days of blockchain being hip there was a thought experiment: You work for a company that uses the blockchain to manage all it's shipments. The blockchain cannot be tampered with so it is accurate. If one day you receive a box the blockchain labeled as "bananas" and it is filled with batteries, what do you do? Do you eat the batteries for potassium? </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 4, 2023 at 5:24 PM Michael Mueller <<a href="mailto:abaci.mjm@gmail.com" target="_blank">abaci.mjm@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">CVE-2023-0464 has a base score of 7.5 and base severity of HIGH in the NVD (attached).</div><div dir="ltr"><br></div><div>That score and the description of the problem are misaligned in my opinion (meaning, I agree with the LOW severity - our app is not affected).</div><div><br></div><div>But there are project managers in our organization that use NVD as the reference, and seeing the HIGH, are requiring a 30 day remediation deadline.</div><div><br></div><div>Us devs are caught in the middle.</div><div><br></div><div>Best regards and thanks for all you do,</div><div>Mike Mueller<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 4, 2023 at 7:06 PM Dr Paul Dale <<a href="mailto:pauli@openssl.org" target="_blank">pauli@openssl.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
I was discussing CVE-2023-0466 which seemed to be the relevant one.
Looking again, the table you included isn't overly clear (to me at
least) what it's referring to.<br>
<br>
Dr Paul Dale<br>
<br>
<div>On 5/4/23 09:02, Dr Paul Dale wrote:<br>
</div>
<blockquote type="cite">
We do not have a firm release date for 1.1.1u at this point. As
per our policy, LOW severity CVE are not release triggering and
this one is considered LOW severity by the project. Baring other
eventualities, three months is a likely time frame.<br>
<br>
I'll note that the issue here was in the documentation and that
the fix is purely a documentation change. This change is already
available online on our web site:<br>
<br>
<a href="https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html" target="_blank">https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html</a><br>
<br>
<br>
Dr Paul Dale<br>
<br>
<div>On 4/4/23 23:16, Joslin, Jack via
openssl-users wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"> <span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Hello,</span><br>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"> When will
OpenSSL 1.1.1u be released? </div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"> Tenable
indicates the vulnerability severity of 1.1.1t as medium. I
found this post indicating that there is no ETA on the
release of OpenSSL 1.1.1u and that it may not be released
for 3 months.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"> <a href="https://mta.openssl.org/pipermail/openssl-users/2023-March/016106.html" id="m_1606871466842425566m_-4457487107164938535m_-7128390285729142622LPlnk888762" target="_blank">OpenSSL Security Advisory</a><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"> From
Nessus/Tenable scan:<br>
</div>
<div>
<div id="m_1606871466842425566m_-4457487107164938535m_-7128390285729142622x_Signature">
<div name="x_divtagdefaultwrapper">
<div style="margin:0px"><br>
</div>
<div style="margin:0px">
<table style="border-collapse:collapse;width:789pt" width="1050">
<colgroup><col style="width:48pt" width="64"><col style="width:92pt" width="122"><col style="width:48pt" width="64"><col style="width:341pt" width="455"><col style="width:128pt" width="170"><col style="width:55pt" width="73"><col style="width:77pt" width="102"></colgroup> <tbody>
<tr style="height:17.25pt" height="23">
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);height:17.25pt;width:48pt;white-space:nowrap;color:black" width="64" height="23"> Plugin</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:92pt;white-space:nowrap;color:black" width="122">
Plugin Name</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:48pt;white-space:nowrap;color:black" width="64">
Severity</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:341pt;white-space:nowrap;color:black" width="455">
Plugin Output</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:128pt;white-space:nowrap;color:black" width="170">
Solution</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:55pt;white-space:nowrap;color:black" width="73">
Risk Factor</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:77pt;white-space:nowrap;color:black" width="102">
CVE</td>
</tr>
<tr style="height:210pt" height="280">
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);height:210pt;white-space:nowrap;color:black" height="280" align="right"> 173260</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:92pt;color:black" width="122"> OpenSSL 1.1.1 <
1.1.1u Multiple Vulnerabilities</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);white-space:nowrap;color:black"> Medium</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:341pt;color:black" width="455"> Plugin Output: <br>
<span> </span>Banner<span>
</span>: Apache/2.4.56 (Unix) OpenSSL/1.1.1t
mod_perl/2.0.9 Perl/v5.8.8<br>
<span> </span>Reported
version : 1.1.1t<br>
<span> </span>Fixed
version<span>
</span>: 1.1.1u</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:128pt;color:black" width="170"> Upgrade to OpenSSL
version 1.1.1u or later.</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);white-space:nowrap;color:black"> Medium</td>
<td style="padding-top:1px;padding-right:1px;padding-left:1px;font-size:11pt;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;border:1px solid rgb(212,212,212);width:77pt;color:black" width="102"> CVE-2023-0464,
CVE-2023-0464, CVE-2023-0465, CVE-2023-0466</td>
</tr>
</tbody>
</table>
<br>
</div>
<div style="margin:0px">Regards,</div>
<div style="margin:0px"> </div>
<div style="margin:0px">Jack Joslin</div>
<div style="margin:0px"><span style="font-family:Arial,sans-serif;font-size:10pt;color:rgb(153,51,102)"><span id="m_1606871466842425566m_-4457487107164938535m_-7128390285729142622x_ms-rterangecursor-start"></span>
<p style="margin:0in 0in 0pt;line-height:normal"> <span style="font-family:Arial,"sans-serif";font-size:10pt"><font style="color:rgb(0,0,0)">Business Services Outsourcing Center
(BSOC)<span id="m_1606871466842425566m_-4457487107164938535m_-7128390285729142622x_ms-rterangecursor-end"></span></font></span></p>
<span id="m_1606871466842425566m_-4457487107164938535m_-7128390285729142622x_ms-rterangecursor-end"></span></span></div>
<div style="margin:0px">
<p style="margin:0in 0in 0pt;line-height:normal"> General Dynamics, Information
Technology</p>
<p style="margin:0in 0in 0pt;line-height:normal"> 327 Columbia Turnpike,
Rensselaer, NY 12144</p>
<p style="margin:0in 0in 0pt;line-height:normal"> <a href="mailto:jack.joslin@gdit.com" target="_blank">jack.joslin@gdit.com</a></p>
<p style="margin:0in 0in 0pt;line-height:normal"> <span style="line-height:115%;font-family:Arial,"sans-serif";font-size:10pt;color:rgb(31,73,125)">m:
+1.321.431.5117</span></p>
<p style="margin:0in 0in 0pt;line-height:normal"> Follow us on <a href="http://www.facebook.com/OfficialCSRA" target="_blank"> <span style="text-decoration:none;color:windowtext">Facebook</span></a> | <a href="http://www.twitter.com/csra_inc" target="_blank"> <span style="text-decoration:none;color:windowtext">Twitter</span></a> | <a href="http://www.linkedin.com/company/csra_inc" target="_blank"> <span style="text-decoration:none;color:windowtext">LinkedIn</span></a></p>
<p style="margin-top:0px;margin-bottom:0px"><span style="font-family:Arial,sans-serif;font-size:8pt;color:rgb(31,73,125)">This electronic message transmission
contains information from GDIT which may be
attorney-client privileged, proprietary or
confidential. The information in this message is
intended only for use by the individual(s) to whom
it is addressed. If you believe you have received
this message in error, please contact me
immediately and be aware that any use, disclosure,
copying or distribution of the contents of this
message is strictly prohibited. NOTE: Regardless
of content, this e-mail shall not operate to bind
GDIT to any order or other contract unless
pursuant to explicit written agreement or
government initiative expressly permitting the use
of e-mail for such purpose</span><br>
</p>
</div>
<div style="margin:0px"> </div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</blockquote>
<br>
</div>
</blockquote></div>
</blockquote></div>