TechEcho

Reading the tea leaves on this one early we can probably assume there's a good chance the high vulnerability does not affect libressl, which forked before the 1.0.2 codebase. We'll find out about the low.

Did they communicate these issues via a backchannel to LibreSSL and BoringSSL yet?

Will this be the first High issue since 0.9.8 and 1.0.0 stopped getting fixes? It'll be interesting to see how that plays out.

what's the procedure to update in debian? the offical repo will be updated immediatly or what?

What is the range of severities? Is 'high' the highest?

So rhe Openssl devs are the new carpenters? They should specify an exact time instead, so that I can upgrade at a known time without having block the entire afternoon. They could just as well tell us it would be available at 5pm.

I wonder which exploit mitigation countermeasure was "bugfixed" in the new release?

Did they communicate these issues via a backchannel to LibreSSL and BoringSSL yet?

Will this be the first High issue since 0.9.8 and 1.0.0 stopped getting fixes? It'll be interesting to see how that plays out.

what's the procedure to update in debian? the offical repo will be updated immediatly or what?

What is the range of severities? Is 'high' the highest?

I wonder which exploit mitigation countermeasure was "bugfixed" in the new release?

Forthcoming OpenSSL release announced

7 comments

Forthcoming OpenSSL release announced

7 comments