On 07/09/2015 09:06 PM, Salz, Rich wrote: > Perhaps something like the CVE vectors, that others have suggested? > https://nvd.nist.gov/CVSS/Vector-v2.aspx > > It's (a bit?) extra work while getting the release out, so it would be good > to hear enthusiastic support for this :) Yes, this would be very helpful.
Also, in this particular case, the following piece of information (and especially your clarification) would have been useful if it were included in the pre-announcement (but maybe the heads-up was a bit fuzzy on purpose, with the intention not to point attackers to the exact location of the bug in the source?): Subject: Re: [openssl-users] [openssl-dev] OpenSSL Security Advisory Date: Thu, 9 Jul 2015 13:13:30 +0000 From: Salz, Rich <[email protected]> Reply-To: [email protected] To: [email protected] <[email protected]>, OpenSSL User Support ML <[email protected]> > This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. In other words, if you are not using those specific releases -- i.e., the ones that came out less than 30 days ago -- you do not need to upgrade.
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
