By Richard Chirgwin, 10 Sep 2014
In the wake of Heartbleed, the OpenSSL project has decided that *nix distributions that use the popular crypto pack will get advance notice of upcoming security-related bugfixes.
The project has decided that distributions that ship with OpenSSL will get some advance notice of issues ahead of fixes – an announcement on the openssl-announce list but not details of specific issues.
While the project's keepers have decided that critical bugs should be dealt with “in camera” as far as is possible, they also note that critical vulnerabilities should not remain secret for too long: “OpenSSL embargoes should be measured in days and weeks, not months or years”, the post states.
The level of secrecy surrounding a bug will, the project says, be determined on three levels of severity. “Low severity” issues – including hard-to-exploit attacks – will be announced as soon as fixes are published, in general “immediately”, and while they might trigger bug-fixes, they probably won't trigger new releases.
The Register/ full article here/ http://www.theregister.co.uk/2014/09/10/openssl_to_open_up_about_bugs/
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.