[rascul]

This is basically useless without identifying the vulnerability.

[macintux]

You left out the key phrase "to me".

Clearly some people prefer to know in advance, to make sure they're prepared to patch critical servers on that day, and perhaps even take some offline until then.

[detaro]

It's not useless, and if it identified the vulnerability it'd massively increase the risk of it being used before patch release.

[insanitybit]

Attackers can just go look at the repo's commits. Holding back the information only hurts defenders.

[macintux]

It seems unlikely to me that the maintainers are that careless.

[insanitybit]

It is the norm for the patch to be committed and the CVE to be acquired as part of that process.

[macintux]

Yep, per this comment my optimism was misplaced.

https://news.ycombinator.com/item?id=33384596

[macintux]

Or, it appears I may have been correct the first time.

https://news.ycombinator.com/item?id=33382684

[rascul]

It's useless because I don't know if I need to care. Vulnerabilities in openssl are nothing new so as far as I know this is just par for the course, and I get nothing out of it as of yet.

[detaro]

... and an announcement like this is a fairly strong message of "assume you need to care"

[rascul]

I'm not going to assume anything in regards to a future release I have no details about.

[iamtedd]

So what do you propose is the alternative? Not tell you about the vulnerability at all until a patch is released? Publish all the details about the vulnerability before a patch is available?

Seriously, what are you complaining about?

[rascul]

I just want actionable information is all. If I have to wait a couple days, fine. Giving me vague information I can't do anything with is useless.

[apstls]

The detail that it patches a critical vulnerability should be enough for you to assume you should care, assuming you care about security.