Excerpt:
The OpenSSL project said it plans to release new versions of its code to
fix a number of security weaknesses, including some classified as “high”
severity.
<...>
The patch is likely to set off a mad scramble by security teams at
organizations that rely on OpenSSL. That’s because security updates —
particularly those added to open-source software like OpenSSL that anyone
can view — give cybercriminals a road map toward finding out where the
fixed vulnerabilities lie and insight into how to exploit those flaws.
Indeed, while the OpenSSL project plans to issue the updates on Thursday,
Mar. 19, the organization isn’t pre-releasing any details about the fixes.
Steve Marquess, a founding partner at the OpenSSL Software Foundation,
said that information will only be shared in advance with the major
operating system vendors.
“We’d like to let everyone know so they can be prepared and so forth, but
we have been slowly driven to a pretty brutal policy of no [advance]
disclosure,” Marquess said. “One of our main revenue sources is support
contracts, and we don’t even give them advance notice.”
--- end excerpt ---
<http://krebsonsecurity.com/2015/03/openssl-patch-to-plug-severe-security-holes/#more-30379>
mark
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
