The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2f, 1.0.1r. These releases will be made available on 28th January between approx. 1pm and 5pm (UTC). They will fix two security defects, one of "high" severity affecting 1.0.2 releases, and one "low" severity affecting all releases.
This had been noted in our tracker. Closing this ticket. Note that I personally am not in favor of getting the information like this. Please send us an email instead.
(In reply to Remko Lodder from comment #1) FWIW, this was for tracking the progress, not for notification. Beyond that the releases & announcements are already public. Having public issues to track security vulnerability resolution is a net benefit for our users For embargoed issues, of course private channels should be used. I don't believe this is one of them
I'd urge secteam to consider re-opening this issue, and leaving it assiged to yourselves. At a minimum we may communicate it's progress (for the port as well) to the community more easily. You are quite welcome not to make any public changes to this meta issue. If not, I'll gladly re-open the issue and assign it to myself, tracking the updates accordingly
Secteam has a policy written that issues should be delivered through email to secteam@ or if a more secure way is needed to communicate to security-officer@. I will not be doing double work to have multiple tickets. If you want to track this, fine, but we use our own tracker to track this incident. Once an advisory is needed we will work on that and get it out of the door, notifying people about that.
I'll take this issue, while things happen internally.
(In reply to Remko Lodder from comment #4) FWIW, I believe there's only potential for double work due to their being a second issue tracker instance. In the meantime, users continue to report security issues both in base and ports in this issue tracker, and again I believe there is lot's of value in progress being visible to the community, even if the content of SA's and vulnerabilities remain undisclosed. It's perfectly feasible to configure a 'Security Team' specific area in this issue tracker that defaults to all reported issues being private, or however secteam would like it configured. Don't hesitate to let Bugmeister to know if and when you'd like the best of both worlds. Come join us!
Whoops, forgot I removed you from CC, apologies Remko. See my reply in comment 6, I'm happy to continue on email instead of here if you'd like to discuss (or argue ;])
Since SA for this issue were published long time ago, I am closing this PR.