[Pkg-openssl-devel] Security incident on openssl
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Mon Apr 3 20:48:16 BST 2023
On 2023-04-03 12:19:36 [+0000], Russ, Andre wrote:
> Hi,
Hi,
> The Debian webpage
> https://security-tracker.debian.org/tracker/CVE-2023-0464 states there
> is no fix. That is WRONG.
This refers to a vesions uploaded to Debian. There is no fixed version
at this time in the Debian archive.
> Since 3 weeks there is a new release:
> https://github.com/openssl/openssl/releases/tag/openssl-3.1.0
As far as I can tell, CVE-2023-0464 is not fixed in v3.1.0. It has been
released before the advisory has been published.
> I think this CVE https://nvd.nist.gov/vuln/detail/CVE-2023-0464 has a
> score of 7.5 and we should just run another publish job or shouldn’t
> we?
According to the official advisory
https://www.openssl.org/news/secadv/20230322.txt
the problem here is rated as "low" and no official release has been made
so far. For something more serious or people asking for it due to
$reason I would prepared a fixed version.
> Best
> Andre
Sebastian
More information about the Pkg-openssl-devel
mailing list