m.roth at 5-cent.us
2015-Mar-18 17:39 UTC
[CentOS] FYI: OpenSSL Patch to Plug Severe Security Holes
Excerpt:
The OpenSSL project said it plans to release new versions of its code to
fix a number of security weaknesses, including some classified as ?high?
severity.
<...>
The patch is likely to set off a mad scramble by security teams at
organizations that rely on OpenSSL. That?s because security updates ?
particularly those added to open-source software like OpenSSL that anyone
can view ? give cybercriminals a road map toward finding out where the
fixed vulnerabilities lie and insight into how to exploit those flaws.
Indeed, while the OpenSSL project plans to issue the updates on Thursday,
Mar. 19, the organization isn?t pre-releasing any details about the fixes.
Steve Marquess, a founding partner at the OpenSSL Software Foundation,
said that information will only be shared in advance with the major
operating system vendors.
?We?d like to let everyone know so they can be prepared and so forth, but
we have been slowly driven to a pretty brutal policy of no [advance]
disclosure,? Marquess said. ?One of our main revenue sources is support
contracts, and we don?t even give them advance notice.?
--- end excerpt ---
<http://krebsonsecurity.com/2015/03/openssl-patch-to-plug-severe-security-holes/#more-30379>
mark
Alan McKay
2015-Mar-23 14:35 UTC
[CentOS] FYI: OpenSSL Patch to Plug Severe Security Holes
Is there any update yet on when these fixes might be available in CentOS? thanks, -Alan
Gordon Messmer
2015-Mar-23 19:28 UTC
[CentOS] FYI: OpenSSL Patch to Plug Severe Security Holes
On 03/23/2015 07:35 AM, Alan McKay wrote:> Is there any update yet on when these fixes might be available in CentOS?As best I understand it, two of the three bugs don't affect the version of openssl currently distributed. The third bug only affects systems with a malformed EC private key, which is a condition that a remote party can't create.