Rich Salz [Tue, 14 Aug 2018 11:59:18 +0000 (07:59 -0400)]
Add FIPS FAQ, update FIPS status.
Mark J. Cox [Tue, 14 Aug 2018 11:21:00 +0000 (12:21 +0100)]
Another try at table spacing for donations page
Mark J. Cox [Tue, 14 Aug 2018 11:19:26 +0000 (12:19 +0100)]
Make the table look a tiny bit better
Mark J. Cox [Tue, 14 Aug 2018 11:15:30 +0000 (12:15 +0100)]
Update sponsros and acks page to match reality
Mark J. Cox [Tue, 14 Aug 2018 11:10:26 +0000 (12:10 +0100)]
Update donations and acknowledgements page to match reality and
add in new sponsors
Rich Salz [Tue, 14 Aug 2018 02:41:34 +0000 (22:41 -0400)]
Fix date for when travel policy was approved
Rich Salz [Thu, 26 Jul 2018 19:00:58 +0000 (15:00 -0400)]
Add GeneralName question
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/64)
Rich Salz [Tue, 3 Jul 2018 15:35:17 +0000 (11:35 -0400)]
Fix NIST links, remove 2473.
Also remove some "political" content.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/63)
Matt Caswell [Wed, 20 Jun 2018 14:54:49 +0000 (15:54 +0100)]
Update newsflash for pre 8
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/web/pull/62)
Richard Levitte [Thu, 14 Jun 2018 08:02:01 +0000 (10:02 +0200)]
OMC generation: account for titles when sorting names
This moves the process of making names sortable to a separate function.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/61)
Richard Levitte [Thu, 14 Jun 2018 08:01:10 +0000 (10:01 +0200)]
OMC generation: Make sure non-ASCII characters are made into entities
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/61)
Richard Levitte [Wed, 13 Jun 2018 17:19:13 +0000 (19:19 +0200)]
Generate OMC Members and OMC Alumni
This simplifies our lives when we need to do changes, since we already
have a personell database.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/60)
Matt Caswell [Tue, 12 Jun 2018 12:10:13 +0000 (13:10 +0100)]
Fix advisory link
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/web/pull/59)
Matt Caswell [Tue, 12 Jun 2018 09:25:31 +0000 (10:25 +0100)]
Updates for CVE-2018-0732
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/web/pull/58)
Richard Levitte [Tue, 12 Jun 2018 07:19:01 +0000 (09:19 +0200)]
Emilia Käsper has left us
Rich Salz [Tue, 29 May 2018 15:18:24 +0000 (11:18 -0400)]
Remove rationale paragraph
Reviewed-by: OMC Vote
Matt Caswell [Tue, 29 May 2018 08:21:53 +0000 (09:21 +0100)]
Update the release strategy
Updates in line with the following votes:
"The next LTS release will be 1.1.1 and the LTS expiry date for 1.0.2 will
not be changed."
and
"1.1.1 beta release schedule changed so that the next two beta releases
are now 29th May, 19 June and we will re-review release readiness after
that. We will also ensure that there is at least one beta release post
TLS-1.3 RFC publication prior to the final release."
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/55)
Matt Caswell [Tue, 29 May 2018 12:26:20 +0000 (13:26 +0100)]
Updates to newsflash for pre7 release
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/56)
Rich Salz [Wed, 23 May 2018 23:57:47 +0000 (19:57 -0400)]
Revert "Remove rationale, clarify language."
This reverts commit
ac5eb58ddc24db122c494b4cb13de3adff366e48.
Rich Salz [Mon, 14 May 2018 20:29:47 +0000 (16:29 -0400)]
Remove rationale, clarify language.
Add 1.1.1 release/LTS details.
Remove paragraph justifying binary compatibility. Also remove
phrase "as implied by the above" beause, well, it ACTUALY ISN'T
implied by the above. :)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Mark Cox <mark@openssl.org>
(Merged from https://github.com/openssl/web/pull/52)
Matt Caswell [Wed, 23 May 2018 09:01:41 +0000 (10:01 +0100)]
Remove the Forthcoming Features section as per OMC vote
Issues have been created for the outstanding features, also as per the
vote.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/54)
Mark J. Cox [Wed, 16 May 2018 20:40:33 +0000 (21:40 +0100)]
Update policy to remove a guiding principle as per vote at Ottawa f2f
Rich Salz [Wed, 16 May 2018 20:09:43 +0000 (16:09 -0400)]
Broken link to pgpkey.html
Also fix indent of #include'd file
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/53)
Rich Salz [Fri, 6 Apr 2018 16:08:26 +0000 (12:08 -0400)]
Remove NSA license and mention of it
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/51)
Rich Salz [Sat, 5 May 2018 14:10:44 +0000 (10:10 -0400)]
Tweak wording based on F2F
Matt Caswell [Tue, 1 May 2018 12:30:50 +0000 (13:30 +0100)]
Update newsflash for new release
Mark J. Cox [Wed, 25 Apr 2018 14:26:35 +0000 (15:26 +0100)]
What we probably meant to do here is create anchors, so let's do that
Mark J. Cox [Wed, 25 Apr 2018 14:23:27 +0000 (15:23 +0100)]
Update the URL to save having to click through twice to the new
location; this is a trivial change for which we do not need to vote
on a policy change or update the policy change date.
Mark J. Cox [Wed, 25 Apr 2018 09:44:57 +0000 (10:44 +0100)]
Fix emacs autowrap I didn't notice
Mark J. Cox [Wed, 25 Apr 2018 09:43:04 +0000 (10:43 +0100)]
Note the questions we get asked frequently about bug bounties and
lack of a SPF record. We could add more here for the other frequently
reported issues (like an open ftp server, open directory listings etc)
Mark J. Cox [Wed, 25 Apr 2018 09:11:30 +0000 (10:11 +0100)]
Remove duplicated text and refer to report a security issue section
Mark J. Cox [Wed, 25 Apr 2018 09:06:48 +0000 (10:06 +0100)]
Move the details of reporting security issues here, that way we can
remove the duplication from each vulnerability page and we can add
more details about reports we will reject
Matt Caswell [Tue, 24 Apr 2018 07:21:54 +0000 (08:21 +0100)]
Fix error for CVE-2018-0737
vulnerabilities.xml erroneously did not list 1.0.2a and 1.0.2 as affected.
Rich Salz [Wed, 18 Apr 2018 12:50:48 +0000 (08:50 -0400)]
Add bug bounty reference
Richard Levitte [Tue, 17 Apr 2018 13:46:22 +0000 (15:46 +0200)]
Update newsflash for release of OpenSSL 1.1.1-pre5 (beta 3)
Rich Salz [Mon, 16 Apr 2018 15:47:44 +0000 (11:47 -0400)]
1747 newsflash
Matt Caswell [Mon, 16 Apr 2018 15:33:11 +0000 (16:33 +0100)]
Update newsflash for security advisory
Matt Caswell [Mon, 16 Apr 2018 15:30:00 +0000 (16:30 +0100)]
Updates for CVE-2018-0737
Mark J. Cox [Thu, 12 Apr 2018 14:46:30 +0000 (15:46 +0100)]
Use a unified converter tool with Apache by making it handle both formats and abstracting the differences
Richard Levitte [Wed, 4 Apr 2018 09:14:44 +0000 (11:14 +0200)]
Generalise the rewrites of older tarballs
We enumerated every series when we could as simply handle them all
with one simple regexp.
Richard Levitte [Tue, 3 Apr 2018 13:42:54 +0000 (15:42 +0200)]
bin/mk-latest: Allow for 1.1.1 URLs
Richard Levitte [Tue, 3 Apr 2018 13:42:14 +0000 (15:42 +0200)]
source/.htaccess: I forgot it's autogenerated
Matt Caswell [Tue, 3 Apr 2018 13:30:42 +0000 (14:30 +0100)]
Update newsflash for new release
Richard Levitte [Thu, 29 Mar 2018 12:15:27 +0000 (14:15 +0200)]
source/: translate /source/openssl-x.y.z*.tar.gz -> /source/old/x.y.z/...
Some people try to access older archive through their original
position. Help them along.
Matt Caswell [Wed, 28 Mar 2018 09:37:47 +0000 (10:37 +0100)]
Add a link to the advisory
Matt Caswell [Tue, 27 Mar 2018 13:25:09 +0000 (14:25 +0100)]
Publish security advisory
Matt Caswell [Tue, 27 Mar 2018 13:10:47 +0000 (14:10 +0100)]
Update news for new release
Richard Levitte [Sat, 24 Mar 2018 15:27:49 +0000 (16:27 +0100)]
mk-notes: slight change to include unreleased stuff from other branches
Jonathan Champ [Fri, 23 Mar 2018 22:49:18 +0000 (18:49 -0400)]
mk-notes: Find all sections; only print released
Jonathan Champ [Fri, 23 Mar 2018 21:08:54 +0000 (17:08 -0400)]
mk-notes: Allow 'under development' version
Richard Levitte [Sat, 24 Mar 2018 15:15:25 +0000 (16:15 +0100)]
Make news/cl111.txt as well
Matt Caswell [Wed, 21 Mar 2018 23:02:15 +0000 (23:02 +0000)]
Update newsflash with pre-announcement for next release
Matt Caswell [Tue, 20 Mar 2018 13:53:52 +0000 (13:53 +0000)]
Updates for beta 1 release
Richard Levitte [Mon, 12 Mar 2018 20:23:40 +0000 (21:23 +0100)]
Update the release dates according to OMC vote
OMC vote has the following text:
topic: Push the release of 1.1.1 beta1 (pre3) forward one week
Reason: we have a number of unreviewed PRs on github marked
1.1.1 and time is getting short.
All other current future release dates will be pushed one week as well.
https://www.openssl.org/policies/releasestrat.html will be updated.
An official announcement should be made.
Proposed by Richard Levitte
The votes are 6 +1's, no -1's and one not voted
Mark J. Cox [Fri, 2 Mar 2018 16:02:58 +0000 (16:02 +0000)]
Give full hash
Mark J. Cox [Fri, 2 Mar 2018 16:02:52 +0000 (16:02 +0000)]
Add missing blog posts
Rich Salz [Thu, 1 Mar 2018 22:14:28 +0000 (17:14 -0500)]
Address issue 44
Rich Salz [Wed, 28 Feb 2018 15:23:36 +0000 (10:23 -0500)]
Add Travel Reimbursement policy
Richard Levitte [Tue, 27 Feb 2018 14:27:24 +0000 (15:27 +0100)]
Include source/old/1.1.1
Matt Caswell [Tue, 27 Feb 2018 14:07:00 +0000 (14:07 +0000)]
Add old source directories for 1.1.1
Matt Caswell [Tue, 27 Feb 2018 13:48:35 +0000 (13:48 +0000)]
Update for new release
Richard Levitte [Tue, 13 Feb 2018 14:45:58 +0000 (15:45 +0100)]
Add 1.1.1 stuff
Richard Levitte [Tue, 13 Feb 2018 14:44:45 +0000 (15:44 +0100)]
Remake 'manmaster' into 'newmanpages'
Generalise it with a multi-line macro, as we'll use it for more than
just master.
Matt Caswell [Tue, 13 Feb 2018 13:35:28 +0000 (13:35 +0000)]
Update news for new 1.1.1 alpha1 release
Richard Levitte [Tue, 6 Feb 2018 18:34:48 +0000 (19:34 +0100)]
Correct signature file name
Matt Caswell [Thu, 25 Jan 2018 18:59:48 +0000 (18:59 +0000)]
Update release strategy for 1.1.1
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/41)
Mark J. Cox [Tue, 6 Feb 2018 09:39:00 +0000 (09:39 +0000)]
Update the git commit links to use the right trees and add some missing
commit links (
20160819 to date is complete)
Mark J. Cox [Tue, 6 Feb 2018 09:01:10 +0000 (09:01 +0000)]
Merge branch 'master' of git.openssl.org:openssl-web
Mark J. Cox [Tue, 6 Feb 2018 09:00:32 +0000 (09:00 +0000)]
When an issue affects more than one release list the releases latest first
Rich Salz [Mon, 5 Feb 2018 16:37:59 +0000 (11:37 -0500)]
Typo in directory name
Mark J. Cox [Mon, 5 Feb 2018 15:00:47 +0000 (15:00 +0000)]
Based on discussions with Mitre, over this field that isn't yet defined, but is unlikely
to be machine parsable (looking at all the published ones to date). They'd like "Fixed in"
and "Affects", so let's give that both in a nice text format for the description and the
vulnerability affects sections.
Mark J. Cox [Mon, 5 Feb 2018 14:57:10 +0000 (14:57 +0000)]
CVE-2004-0081 was missing the 'fixed in 0.9.6d' line, causing it to not get included on the list of 0.9.6 issues
and fail json validation.
Mark J. Cox [Tue, 30 Jan 2018 12:59:33 +0000 (12:59 +0000)]
start adding some git commit links for 1.0.2 vulns (where 1.1.0 doesn't have a link or is a very different patch, for now)
Mark J. Cox [Tue, 30 Jan 2018 11:52:53 +0000 (11:52 +0000)]
Add links to the 1.1.0 branch git commit for every 1.1.0 issue
Mark J. Cox [Tue, 30 Jan 2018 10:29:00 +0000 (10:29 +0000)]
fix html not noticed on test due to stylesheet
Mark J. Cox [Tue, 30 Jan 2018 10:26:53 +0000 (10:26 +0000)]
Put the link to the per-version pages on the main page now it all works
Mark J. Cox [Tue, 30 Jan 2018 10:13:34 +0000 (10:13 +0000)]
Add EOL notes to the vulnerability pages so it's clear they are
no longer getting security updates (which was kind of the point
of doing these extra pages to start with)
Mark J. Cox [Tue, 30 Jan 2018 10:02:12 +0000 (10:02 +0000)]
Also ignore the new vulnerabilities inc files
Mark J. Cox [Tue, 30 Jan 2018 10:00:23 +0000 (10:00 +0000)]
Add vulnerability page for each version. If we did lots of major
releases it might be worth automating this a bit better. We could
have used a single page with clever javascript to filter the issues
too (but lets not start adding javascript for the sake of it)
Mark J. Cox [Tue, 30 Jan 2018 09:43:25 +0000 (09:43 +0000)]
Make the per-version vulnerability files. We could probably do something
clever here to work out all the versions we have releases for.
Mark J. Cox [Tue, 30 Jan 2018 09:27:28 +0000 (09:27 +0000)]
Link to all-issues page, better detection of "no vulnerabilities" for a given base version
Mark J. Cox [Tue, 30 Jan 2018 09:19:21 +0000 (09:19 +0000)]
Update mk-cvepage to remain backward compatible for now, but allow generation of a
"per major version" vuln page. So users of 1.1.0 can if they like just see a page
of issues that were fixed in 1.1.0*
Mark J. Cox [Mon, 29 Jan 2018 15:18:59 +0000 (15:18 +0000)]
Match lower case severity names in security policy
Mark J. Cox [Mon, 29 Jan 2018 15:16:35 +0000 (15:16 +0000)]
So we can link directly to severities
Mark J. Cox [Mon, 29 Jan 2018 14:49:07 +0000 (14:49 +0000)]
Move the git hash links to the respective 'fixed' sections so they show up on the vulnerabilities page
Mark J. Cox [Mon, 29 Jan 2018 14:45:01 +0000 (14:45 +0000)]
missing closing h3
Mark J. Cox [Mon, 29 Jan 2018 14:42:59 +0000 (14:42 +0000)]
tabs not spaces
Mark J. Cox [Mon, 29 Jan 2018 14:39:23 +0000 (14:39 +0000)]
Switch out the vulnerabilities.xsl for python, the differences to the
final page should be ordering (now for a given date in CVE order),
dates don't have suffixes like "1st", and ranges of affected versions
are used instead of listing every affected version
Mark J. Cox [Mon, 29 Jan 2018 14:38:27 +0000 (14:38 +0000)]
change mind, don't use output dir since we need to know what inc files
we create, so we'll do that as an option later
Mark J. Cox [Mon, 29 Jan 2018 14:34:06 +0000 (14:34 +0000)]
we use an inc file for vulnerabilities page
Mark J. Cox [Mon, 29 Jan 2018 14:31:53 +0000 (14:31 +0000)]
The xslt we use to convert the vulnerabilities.xml is clever, but esoteric, so
let's replace it with python instead and that way we can do things like
collapse the "affected" lists, and possibly in the future create multiple
pages (like a page for 1.0.2, 1.0.1 etc)
Mark J. Cox [Mon, 29 Jan 2018 11:14:25 +0000 (11:14 +0000)]
Add a script to convert our vulnerabilities.xml file to json
as per Mitre CVE JSON format, and validate it. We'll use this
for submitting our CVE updates to Mitre (and we may use change the
creation of the web site pages to use a similar script in future
as the xslt we currently use is a little esoteric)
Rich Salz [Tue, 23 Jan 2018 16:56:30 +0000 (11:56 -0500)]
Add -project mailing list; -dev is archived
Mark J. Cox [Tue, 23 Jan 2018 13:29:56 +0000 (13:29 +0000)]
Fix link wrapping issue
Mark J. Cox [Tue, 23 Jan 2018 13:28:02 +0000 (13:28 +0000)]
Simplify security policy, as per f2f discussion and subsequent OMC vote
Mark J. Cox [Mon, 22 Jan 2018 09:40:03 +0000 (09:40 +0000)]
ToC is getting large and probably isn't ever used anyway, simplify
so we get more before the break
Mark J. Cox [Mon, 22 Jan 2018 09:35:54 +0000 (09:35 +0000)]
Fix some bad formatting errors where we had entries with no advisories etc
Mark J. Cox [Mon, 22 Jan 2018 09:28:45 +0000 (09:28 +0000)]
Update vulnerability database with references for every CVE, either an
advisory, link to PR, or git commit link. Split out the DTLS issues
from 2009 as the three were not the same (and we can then ensure we
only have one CVE per entry in this file)
Mark J. Cox [Wed, 17 Jan 2018 15:01:19 +0000 (15:01 +0000)]
Fix advisory url, note which issues need links of some sort
Mark J. Cox [Wed, 17 Jan 2018 14:36:16 +0000 (14:36 +0000)]
Working on conversion of the xml to Mitre JSON; there are a few
issues that fail validation due to 1) missing affects (fixed)
and 2) missing references. Some are still missing references
as there was no security advisory and I'll link to the commits
instead over time.