Hacker News new | ask | show | jobs
by detaro 1330 days ago
It's not useless, and if it identified the vulnerability it'd massively increase the risk of it being used before patch release.
2 comments
insanitybit 1330 days ago
Attackers can just go look at the repo's commits. Holding back the information only hurts defenders.
link
macintux 1330 days ago
It seems unlikely to me that the maintainers are that careless.
link
insanitybit 1330 days ago
It is the norm for the patch to be committed and the CVE to be acquired as part of that process.
link
macintux 1329 days ago
Yep, per this comment my optimism was misplaced.

https://news.ycombinator.com/item?id=33384596

link
macintux 1329 days ago
Or, it appears I may have been correct the first time.

https://news.ycombinator.com/item?id=33382684

link
insanitybit 1329 days ago
That's cool. Some projects do that, some do not.
link
rascul 1330 days ago
It's useless because I don't know if I need to care. Vulnerabilities in openssl are nothing new so as far as I know this is just par for the course, and I get nothing out of it as of yet.
link
detaro 1330 days ago
... and an announcement like this is a fairly strong message of "assume you need to care"
link
rascul 1330 days ago
I'm not going to assume anything in regards to a future release I have no details about.
link
iamtedd 1330 days ago
So what do you propose is the alternative? Not tell you about the vulnerability at all until a patch is released? Publish all the details about the vulnerability before a patch is available?

Seriously, what are you complaining about?

link
rascul 1330 days ago
I just want actionable information is all. If I have to wait a couple days, fine. Giving me vague information I can't do anything with is useless.
link
detaro 1330 days ago
"be prepared to update affected systems at $point_in_time" seems actionable to me. You for some reason thinking that such a warning doesn't warrant taking the recommended action doesn't mean it isn't actionable, it means you choose to ignore it.
link
iso1631 1330 days ago
I spent a few minutes checking my cmdb for openssl3, and have allocated 30 minutes on Tuesday to upgrade the few machines that have openssl3.

When corporate infosec starts to panic, probably about Thursday based on the jndi issue, I'll be able to point them to our log which shows how it was handled.

link
iamtedd 1330 days ago
> I just want actionable information

Which is, according to TFA, being released on 1 Nov., and according to my calendar, is in 3 days... Problem solved?

link
apstls 1330 days ago
The detail that it patches a critical vulnerability should be enough for you to assume you should care, assuming you care about security.
link