On Thursday, March 23, 2023 9:56 AM, Tomas Mraz wrote: >On Thu, 2023-03-23 at 09:45 -0400, rsbecker@xxxxxxxxxxxxx wrote: >> On Thursday, March 23, 2023 3:40 AM, Tomas Mraz wrote: >> > To: rsbecker@xxxxxxxxxxxxx; openssl-users >> > <openssl-users@xxxxxxxxxxx> On Wed, 2023-03-22 at 15:12 -0400, >> > rsbecker@xxxxxxxxxxxxx wrote: >> > > On Wednesday, March 22, 2023 11:50 AM Tomas Mraz wrote: >> > > <snip> >> > > > OpenSSL 3.1 users should upgrade to 3.1.1. >> > > > OpenSSL 3.0 users should upgrade to 3.0.9. >> > > > OpenSSL 1.1.1 users should upgrade to 1.1.1u. >> > > > OpenSSL 1.0.2 users should upgrade to 1.0.2zh (premium support >> > > > customers >> > > only). >> > > >> > > Is there an ETA for 3.1.1, 3.0.9, 1.1.1u in the github repo? >> > >> > There is no ETA for the next releases. Unless there is any issue of >> > severity higher than Low we usually do a release in 3 months after >> > the previous patch release. >> >> Thanks. I was confused by the phrasing of the above, regarding >> upgrading to the new releases that are not in the repo. > >There is the `Once they are released:` paragraph just before these sentences. >Perhaps that is too confusing and we should simply drop these sentences from the >Low advisories? Might be a good idea. I guess I just read through it. Problem is that security advisories trigger action and review in my organization - a good thing, but we have to modify the response to differentiate when releases are not available. Thanks, Randall
