[Bug 1649657] Re: OpenSSL version is not dependable

Tue Dec 13 21:54:59 UTC 2016

With OpenSSL 1.0.1, as long as you update to the most recent 1.0.1
release, there would be no ABI changes, right?  Otherwise, your argument
is just that other people do separate patches, so Ubuntu will continue
to do that too, right?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1649657

Title:
  OpenSSL version is not dependable

Status in openssl package in Ubuntu:
  Invalid

Bug description:
  Greetings!

  Is there any reason why Ubuntu 14.04 LTS openssl version is still
  1.0.1f?

  From https://www.openssl.org/news/openssl-1.0.1-notes.html there have
  been a lot of patches since that version. In fact this critical patch
  https://www.openssl.org/news/vulnerabilities.html#2016-6304 is only
  available in latest version OpenSSL 1.0.1u [22 Sep 2016].

  I run the below:
  sudo apt-get update
  sudo apt-get install openssl libssl-dev
  openssl version -a

  And I got:
  $ openssl version -a
  OpenSSL 1.0.1f 6 Jan 2014
  built on: Fri Sep 23 12:19:57 UTC 2016
  platform: debian-amd64
  options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) 
  compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
  OPENSSLDIR: "/usr/lib/ssl"

  Does this mean that 4 hours and 10 minutes ago 1.0.1f was rebuilt?

  Best,
  - Nestor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1649657/+subscriptions