oss-sec mailing list archives
Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases
From: Christian Rebischke <chris.rebischke () gmail com>
Date: Wed, 18 Mar 2015 09:40:53 +0100
Hello, I should mention that I forgot to include one CVE in my tweet: CVE-2015-0291. I am not sure if this CVE has high severity or is low, but should be according to openssl bug guideline 'high'. Seems so that this CVE is a Dos vulnerability: https://twitter.com/ramosbugs/status/577935589397278720 @Sh1bumi @ArneBab @hynek I have working exploit for upcoming CVE-2015-0291 1.0.2 server DoS. As far as I know not active in wild. @ramosbugs alias <David Ramos> is the bug reporter of CVE-2015-0291. So, as far I know, there are 4 openssl CVEs: CVE-2015-0209, CVE-2015-0285, CVE-2015-0288 and CVE-2015-0291 Are these all CVEs or are there any other currently reserved high rated CVEs? best regards, -------------------------------------------------------------- Christian Rebischke Website : www.nullday.de Twitter : @sh1bumi Jabber : shibumi () jabber ccc de PGP : 0x8D8172C8 Fingerprint: A224 6F57 FD0A AC81 3971 EEBE 5EDA 916B 3A2A 7C49 -------------------------------------------------------------- On Wed, Mar 18, 2015 at 11:17:47AM +0300, Solar Designer wrote:
Mark - It was suggested to me off-list that it'd be helpful to publicly specify not only the date, but also the time (and timezone) of the forthcoming OpenSSL releases. Can you? All - On Tue, Mar 17, 2015 at 03:00:05AM +0300, Solar Designer wrote:I think the limited public info on this should be in here ASAP, hence the forward.References to commits for CVE-2015-0209, CVE-2015-0285, CVE-2015-0288: https://twitter.com/Sh1bumi/status/577904223444168704 Mark's reply: <@iamamoose> @Sh1bumi those are all "low severity" classification, previously committed issues, which will be included in roll up on Thursday too. <@iamamoose> @Sp1l As per the security policy, low severity issues (and some moderates) get fixed in public as and when -- those issues are known public <@iamamoose> @Sp1l CVE-2015-0285 is https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0288 https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9 On vendor notifications so far: <iamamoose> Per https://www.openssl.org/about/secpolicy.html we've provided details of the #openssl vulns to distros@ vendors on request, also now to LibreSSL. <@iamamoose> @iamamoose we've also provided details today to Apple and IBM who are not currently distros@ members #openssl BTW, OpenSSL Security Policy at https://www.openssl.org/about/secpolicy.html specifies what kind of issues the three severity classifications may correspond to. Alexander
Attachment:
_bin
Description:
Current thread:
- Fwd: [openssl-announce] Forthcoming OpenSSL releases Solar Designer (Mar 16)
- Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases Solar Designer (Mar 16)
- Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases Solar Designer (Mar 18)
- Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases Christian Rebischke (Mar 18)
- Re: Fwd: [openssl-announce] Forthcoming OpenSSL releases Solar Designer (Mar 18)