Hi, In light of the last "Forthcoming OpenSSL release" I have two suggestions:
First would it be possible to have not only a date, but also a timeframe (maybe an hour + timezone info!) for when releases and security announcements are expected to go public? And second I wonder if OpenSSL needs another severity category. The last announcement says tere is a "high" severity security defect to be expected. If I look at the match advisory there were two "high" vulns: https://www.openssl.org/news/secadv_20150319.txt One was a server DoS (you could probably crash a server) and the other was FREAK (which only affected substandard configurations doing things nobody should've done anyway). Now judging by the gold standard of severe OpenSSL vulns (aka Heartbleed) these aren't really super-worrying issues. Sure they need to be patched and fixed. But what I really want to know in advance is whether I have to stop anything I'm doing and patch my server immediately because if I don't before the first PoCs come out I may be in trouble. So may I propose another category that includes only data exfiltration, remote code execution or severe crypto breaks on reasonable default configurations? cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpGwx2xAtO7J.pgp
Description: OpenPGP digital signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
