oss-sec mailing list archives
Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160
From: Yves-Alexis Perez <corsac () debian org>
Date: Wed, 9 Apr 2014 09:32:36 +0200
On Wed, Apr 09, 2014 at 12:02:09PM +0530, Huzaifa Sidhpurwala wrote:
On 04/09/2014 01:07 AM, Yves-Alexis Perez wrote:Mon, 07 Apr 2014 06:10 : Huzaifa Sidhpurwala sends a mail to distros list with no details but an offer to request them privatelyAfter i sent a mail to distros, i was contacted by security engineers from most major distributions. I answered most of the them as soon as i could with complete details including the upstream patch.
I'm not sure who are “most major distributions”. We failed to reply in a timely fashion to that mail (but that's on us), but apparently so did Ubuntu, Suse sent a mail but got apparently no reply. In any case, two days notice is a bit out of our comfort zone for preparing updates, but I think we would have managed to handle it properly if the embargo didn't break. So again thanks Red Hat for notification/coordination job, but I'm still puzzled at what happened earlier, before Red Hat was informed. Regards, -- Yves-Alexis Perez
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160, (continued)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Kurt Seifried (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Solar Designer (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Michal Zalewski (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Jussi Eronen (Apr 25)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Donald Stufft (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Vincent Danen (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Florian Weimer (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Huzaifa Sidhpurwala (Apr 08)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Yves-Alexis Perez (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Huzaifa Sidhpurwala (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Marcus Meissner (Apr 09)
- Re: OpenSSL 1.0.1 TLS/DTLS hearbeat information disclosure CVE-2014-0160 Marc Deslauriers (Apr 09)