<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
I was discussing CVE-2023-0466 which seemed to be the relevant one.
Looking again, the table you included isn't overly clear (to me at
least) what it's referring to.<br>
<br>
Dr Paul Dale<br>
<br>
<div class="moz-cite-prefix">On 5/4/23 09:02, Dr Paul Dale wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7a80195b-1d76-4afa-7339-5727c85a6b27@openssl.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
We do not have a firm release date for 1.1.1u at this point. As
per our policy, LOW severity CVE are not release triggering and
this one is considered LOW severity by the project. Baring other
eventualities, three months is a likely time frame.<br>
<br>
I'll note that the issue here was in the documentation and that
the fix is purely a documentation change. This change is already
available online on our web site:<br>
<br>
<a class="moz-txt-link-freetext"
href="https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html"
moz-do-not-send="true">https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html</a><br>
<br>
<br>
Dr Paul Dale<br>
<br>
<div class="moz-cite-prefix">On 4/4/23 23:16, Joslin, Jack via
openssl-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SA1P110MB15045BD147AB46A096FF61FA9B939@SA1P110MB1504.NAMP110.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);" class="elementToProof"> <span
style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">Hello,</span><br>
</div>
<div dir="ltr">
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"> <br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"> When will
OpenSSL 1.1.1u be released? </div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"> <br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"> Tenable
indicates the vulnerability severity of 1.1.1t as medium. I
found this post indicating that there is no ETA on the
release of OpenSSL 1.1.1u and that it may not be released
for 3 months.</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"> <br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"> <a
href="https://mta.openssl.org/pipermail/openssl-users/2023-March/016106.html"
class="ContentPasted0" id="LPlnk888762"
moz-do-not-send="true">OpenSSL Security Advisory</a><br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"> <br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"> From
Nessus/Tenable scan:<br>
</div>
<div class="x_elementToProof">
<div id="x_Signature">
<div name="x_divtagdefaultwrapper"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
<div style="margin:0px"><br>
</div>
<div style="margin:0px">
<table class="x_ContentPasted0"
style="border-collapse:collapse; width:789pt"
width="1050">
<colgroup class="x_ContentPasted0"><col
class="x_ContentPasted0" style="width:48pt"
width="64"><col class="x_ContentPasted0"
style="width:92pt" width="122"><col
class="x_ContentPasted0" style="width:48pt"
width="64"><col class="x_ContentPasted0"
style="width:341pt" width="455"><col
class="x_ContentPasted0" style="width:128pt"
width="170"><col class="x_ContentPasted0"
style="width:55pt" width="73"><col
class="x_ContentPasted0" style="width:77pt"
width="102"></colgroup> <tbody
class="x_ContentPasted0">
<tr class="x_ContentPasted0"
style="height:17.25pt" height="23">
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); height: 17.25pt; width:
48pt; white-space: nowrap !important; color:
black;" width="64" height="23"> Plugin</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 92pt; white-space:
nowrap !important; color: black;" width="122">
Plugin Name</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 48pt; white-space:
nowrap !important; color: black;" width="64">
Severity</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 341pt; white-space:
nowrap !important; color: black;" width="455">
Plugin Output</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 128pt; white-space:
nowrap !important; color: black;" width="170">
Solution</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 55pt; white-space:
nowrap !important; color: black;" width="73">
Risk Factor</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 77pt; white-space:
nowrap !important; color: black;" width="102">
CVE</td>
</tr>
<tr class="x_ContentPasted0"
style="height:210.0pt" height="280">
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); height: 210pt;
white-space: nowrap !important; color: black;"
height="280" align="right"> 173260</td>
<td class="x_xl65 x_ContentPasted0"
style="padding-top: 1px; padding-right: 1px;
padding-left: 1px; font-size: 11pt;
text-decoration: none; font-family: Calibri,
sans-serif; vertical-align: bottom; border:
1px solid rgb(212, 212, 212); width: 92pt;
color: black;" width="122"> OpenSSL 1.1.1 <
1.1.1u Multiple Vulnerabilities</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); white-space: nowrap
!important; color: black;"> Medium</td>
<td class="x_xl65 x_ContentPasted0"
style="padding-top: 1px; padding-right: 1px;
padding-left: 1px; font-size: 11pt;
text-decoration: none; font-family: Calibri,
sans-serif; vertical-align: bottom; border:
1px solid rgb(212, 212, 212); width: 341pt;
color: black;" width="455"> Plugin Output: <br
class="x_ContentPasted0">
<span class="x_ContentPasted0" style=""> </span>Banner<span
class="x_ContentPasted0" style="">
</span>: Apache/2.4.56 (Unix) OpenSSL/1.1.1t
mod_perl/2.0.9 Perl/v5.8.8<br
class="x_ContentPasted0">
<span class="x_ContentPasted0" style=""> </span>Reported
version : 1.1.1t<br class="x_ContentPasted0">
<span class="x_ContentPasted0" style=""> </span>Fixed
version<span class="x_ContentPasted0" style="">
</span>: 1.1.1u</td>
<td class="x_xl65 x_ContentPasted0"
style="padding-top: 1px; padding-right: 1px;
padding-left: 1px; font-size: 11pt;
text-decoration: none; font-family: Calibri,
sans-serif; vertical-align: bottom; border:
1px solid rgb(212, 212, 212); width: 128pt;
color: black;" width="170"> Upgrade to OpenSSL
version 1.1.1u or later.</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); white-space: nowrap
!important; color: black;"> Medium</td>
<td class="x_xl65 x_ContentPasted0"
style="padding-top: 1px; padding-right: 1px;
padding-left: 1px; font-size: 11pt;
text-decoration: none; font-family: Calibri,
sans-serif; vertical-align: bottom; border:
1px solid rgb(212, 212, 212); width: 77pt;
color: black;" width="102"> CVE-2023-0464,
CVE-2023-0464, CVE-2023-0465, CVE-2023-0466</td>
</tr>
</tbody>
</table>
<br>
</div>
<div style="margin:0px">Regards,</div>
<div style="margin:0px"> </div>
<div style="margin:0px">Jack Joslin</div>
<div style="margin:0px"><span style="font-family: Arial,
sans-serif; font-size: 10pt; color: rgb(153, 51,
102);"><span id="x_ms-rterangecursor-start"></span>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal"> <span
style="font-family:"Arial","sans-serif";
font-size:10pt"><font style="color: rgb(0, 0,
0);">Business Services Outsourcing Center
(BSOC)<span id="x_ms-rterangecursor-end"></span></font></span></p>
<span id="x_ms-rterangecursor-end"></span></span></div>
<div style="margin:0px">
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal"> General Dynamics, Information
Technology</p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal"> 327 Columbia Turnpike,
Rensselaer, NY 12144</p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal"> <a
href="mailto:jack.joslin@gdit.com"
data-auth="NotApplicable" tabindex="0"
moz-do-not-send="true"
class="moz-txt-link-freetext">jack.joslin@gdit.com</a></p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal"> <span style="line-height:
115%; font-family: Arial, "sans-serif";
font-size: 10pt; color: rgb(31, 73, 125);">m:
+1.321.431.5117</span></p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal"> Follow us on <a
href="http://www.facebook.com/OfficialCSRA"
data-auth="NotApplicable" tabindex="0"
moz-do-not-send="true"> <span
style="text-decoration: none; color:
windowtext;">Facebook</span></a> | <a
href="http://www.twitter.com/csra_inc"
data-auth="NotApplicable" tabindex="0"
moz-do-not-send="true"> <span
style="text-decoration: none; color:
windowtext;">Twitter</span></a> | <a
href="http://www.linkedin.com/company/csra_inc"
data-auth="NotApplicable" tabindex="0"
moz-do-not-send="true"> <span
style="text-decoration: none; color:
windowtext;">LinkedIn</span></a></p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;"><span style="font-family:
Arial, sans-serif; font-size: 8pt; color: rgb(31,
73, 125);">This electronic message transmission
contains information from GDIT which may be
attorney-client privileged, proprietary or
confidential. The information in this message is
intended only for use by the individual(s) to whom
it is addressed. If you believe you have received
this message in error, please contact me
immediately and be aware that any use, disclosure,
copying or distribution of the contents of this
message is strictly prohibited. NOTE: Regardless
of content, this e-mail shall not operate to bind
GDIT to any order or other contract unless
pursuant to explicit written agreement or
government initiative expressly permitting the use
of e-mail for such purpose</span><br>
</p>
</div>
<div style="margin:0px"> </div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>