Reading the tea leaves on this one early we can probably assume there's a good chance the high vulnerability does not affect libressl, which forked before the 1.0.2 codebase. We'll find out about the low.
From my limited understanding, the update would be pushed through the security.debian.org repository ASAP, which should be configured by default.
I wonder what the 0.9.8 EOL means for squeeze-lts. Does the Debian LTS team just backport all applicable 1.0.1 patches? Isn't this a little risky? They might not have an intimate understanding of the opaque codebase.
What about Wheezy and Jessie after support for 1.0.1 ends on 31 December?
Definitely. But even without LTS, Jessie would be without upstream SSL patches starting 2017. Stretch might not even be released by then. And I wouldn't call the Debian release cycle unreasonably slow.
You get problems like this, but with the amount of overlap in time the different versions provide, with regards to security updates, I'd say its far from unreasonable that one should be able to move over to the next version before stuff like this becomes a problem.
So rhe Openssl devs are the new carpenters? They should specify an exact time instead, so that I can upgrade at a known time without having block the entire afternoon. They could just as well tell us it would be available at 5pm.
That means that my 10k company users will have systems vulnerable for between 0 and 4 hour longer than necessary. That is less than optimal. Really, why do thy even give a 4 hour window for when it will be released?
For OpenSSL, I'm not sure. This highlights something I was going to mention, though. I wish each project would stop coming up with its own scale and just use, for example, CVE scores or some other "standard" by which all these vulnerabilities can be compared.
19 comments
[ 2.6 ms ] story [ 61.0 ms ] threadI wonder what the 0.9.8 EOL means for squeeze-lts. Does the Debian LTS team just backport all applicable 1.0.1 patches? Isn't this a little risky? They might not have an intimate understanding of the opaque codebase.
What about Wheezy and Jessie after support for 1.0.1 ends on 31 December?
It's unclear if that's the beginning or end of the month.
If you're waiting until the very end of LTS support to upgrade, you're doing it wrong anyways.
There was a time in the not so distant past when we didn't even get a "heads up" like this so, personally, I am appreciative of the advance notice.
> Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html