Today's OpenSSL vulnerabilities - what are best channels for updates?

Question

OpenSSL have given heads-up on release of high severity issue between 11am and 3pm today.&nbsp;
Have F5 been given advanced notice on these issues? 
e.g. Do they expect to issue a fix immediately the issues are made public?&nbsp;
What are the best channels for getting any information updates from F5 on this issue? &nbsp;
I'm already on the security announce email list, and following on twitter.&nbsp;
Appreciate F5 are in a tricky position because they can't simply roll vendor OpenSSL packages to clients, and in many cases there is more engineering to do to even establish when it is a problem.&nbsp;
On the other-hand we are all be getting quite good at this urgent patching malarky :(&nbsp;

amolari · Answer

Devcentral is the faster channel so far (past experience showed). Then, F5 publishes a SOL (sec advisory).
Many times, a workaround is proposed (configuration of SSL profiles usually).&nbsp;
F5 might change the way one can update its product in the future: allowing some base (OS) components to be individually updated, without the need of a SW hotfix.&nbsp;
Updating OpenSSL might have some bad side-effects: I have seen that CRL imports (performed by OpenSSL on the BIGIP) is more resources intensive with the newer OpenSSL versions (such as in v11.6) than in previous ones.&nbsp;

Forum Discussion

Today's OpenSSL vulnerabilities - what are best channels for updates?

1 Reply

Recent Discussions

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Related Content

Slack Channel?

Auditing Security Policy Updates

Update your DevCentral user profile

OWASP Automated Threats - OAT-014 Vulnerability Scanning

Clouddocs Updates