[Bug 1649657] Re: OpenSSL version is not dependable

Seth Arnold 1649657 at bugs.launchpad.net
Tue Dec 13 20:28:46 UTC 2016 

Thanks for your feedback Michael,

We're not going to be updating to mainline OpenSSL in Ubuntu on their
release schedule. Every minor point release from OpenSSL invariably
includes either ABI changes that would require recompiling all software
that links against OpenSSL or other regressions that break existing
users.

Over the years we have had far more reliable results backporting
specific security fixes as they are prepared.

Many other vendors feel the same:

https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions
https://www.debian.org/security/faq#version
https://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b096cbff2f
https://access.redhat.com/security/updates/backporting

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1649657

Title:
  OpenSSL version is not dependable

Status in openssl package in Ubuntu:
  Invalid

Bug description:
  Greetings!

  Is there any reason why Ubuntu 14.04 LTS openssl version is still
  1.0.1f?

  From https://www.openssl.org/news/openssl-1.0.1-notes.html there have
  been a lot of patches since that version. In fact this critical patch
  https://www.openssl.org/news/vulnerabilities.html#2016-6304 is only
  available in latest version OpenSSL 1.0.1u [22 Sep 2016].

  I run the below:
  sudo apt-get update
  sudo apt-get install openssl libssl-dev
  openssl version -a

  And I got:
  $ openssl version -a
  OpenSSL 1.0.1f 6 Jan 2014
  built on: Fri Sep 23 12:19:57 UTC 2016
  platform: debian-amd64
  options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) 
  compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
  OPENSSLDIR: "/usr/lib/ssl"

  Does this mean that 4 hours and 10 minutes ago 1.0.1f was rebuilt?

  Best,
  - Nestor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1649657/+subscriptions

More information about the foundations-bugs mailing list