So wait, did the OpenBSD team knew nothing about CVE-2015-1394 until the very end? That’d be pretty bad behavior from OpenSSL’s part. I’m amazed people still go to the trouble of warning them first.
The OpenSSL policy is that “moderate” (or below) bugs do not warrant early notification. They skip the embargo and just release.
I don’t think this is bad. Actually, it’s kind of like the OpenBSD policy, which is to announce errata publicly and allow downstream to catch up.
However, there is an important difference. OpenBSD does this to accelerate the release of the patch. Any embargo process necessarily slows down the eventual public release. OpenSSL, in this case, sat on the bug for several months, so there’s no speediness argument to be made. They didn’t actually skip the embargo and “just” release.
Either early or fast disclosure is great. Delayed disclosure less so.
OpenSSL snuck another CVE in when they rerolled their broken tarballs, the number is now 2/5 for LibreSSL.
Amazing that people rely on that (former) software.
So wait, did the OpenBSD team knew nothing about CVE-2015-1394 until the very end? That’d be pretty bad behavior from OpenSSL’s part. I’m amazed people still go to the trouble of warning them first.
The OpenSSL policy is that “moderate” (or below) bugs do not warrant early notification. They skip the embargo and just release.
I don’t think this is bad. Actually, it’s kind of like the OpenBSD policy, which is to announce errata publicly and allow downstream to catch up.
However, there is an important difference. OpenBSD does this to accelerate the release of the patch. Any embargo process necessarily slows down the eventual public release. OpenSSL, in this case, sat on the bug for several months, so there’s no speediness argument to be made. They didn’t actually skip the embargo and “just” release.
Either early or fast disclosure is great. Delayed disclosure less so.
Am I the only one who, when searching for information about CVE-2015-1393, ends up with a WordPress related photo gallery SQL injection bug?
Nope, I get the same one. Pro tip: you can use !cve on duckduckgo ;)
Oh! Good tip!
Seems as though the errata has some errata: OpenSSL Advisory
Oh, all the openbsd numbers got 1/3 transposed. should be 3193 etc.