OpenSSL promises to inform developers of sandbags in advance when a problem occurs.
In view of the recent hetbleed vulnerability, the OpenSSL Project decided that the Linux and Unix operating system publishers who use the popular OpenSSL encryption package will be notified in advance when OpenSSL releases security-related fixes.
The OpenSSL Project determines that the operating system issuer with OpenSSL receives a notification before the rectification program is released-the openssl-announce list e-mail group receives the notification, but does not provide details about the problem.
Although the maintenance personnel of the OpenSSL Project decide that it is necessary to handle important vulnerabilities as much as possible, they also pointed out that serious vulnerabilities should not be a long-term secret. A Web post in the OpenSSL Project says, "after an OpenSSL vulnerability is discovered, the silence period should be within a few days, not months or years ."
According to the OpenSSL Project, the vulnerability confidentiality level is divided into three levels by severity. "Low-level" problems-including those that are difficult to use for attacks-will be published in a timely manner after the amendment is released. Generally, the issue is "published immediately. These problems often lead to the release of the repair program, but it is unlikely to release the new version.
Moderate issues include application crashes, such as less common DTLS (datagram Transport Layer Security) and defects related to local vulnerabilities. The OpenSSL Project decides to handle this type of problem internally until the new version is released after the problem is fixed.
The "severe" issue will be kept confidential until all supported versions have released new versions, but the OpenSSL Project "tries its best to minimize the confidentiality ", this is especially true when vulnerabilities are exploited.
There are some special considerations regarding the release of announcements; the main one is that the plan for releasing security fixes will be announced first (along with its severity ), A post will be posted to publish the specific schedule on the OpenSSL homepage, but the nature of the fix will not be made public until it is released.
However, "If the updates contain very serious problems, we will also send more details and patches in advance." The basic consideration is that we need to notify users of additional issues, it takes several days for the OpenSSL operating system to prepare a package for the end user and provide test feedback.
The OpenSSL Project says it does not want to be notified in advance to become a marketing gimmick. An OpenSSL Web Post says, "We cannot accept some departments to say that advance notifications are a competitive marketing means. For example, 'If you have bought our products/use our services, you will be protected one week in advance 'is not advisable ."
OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)
Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian
OpenSSL "heartbleed" Security Vulnerability
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
OpenSSL Heartbleed vulnerability upgrade method
For more information about Heartbleed, click here.
Heartbleed: click here
This article permanently updates the link address: