[Bug 1649657] Re: OpenSSL version is not dependable

Seth Arnold 1649657 at bugs.launchpad.net
Tue Dec 13 23:57:58 UTC 2016 

> there would be no ABI changes, right?

That'd would be ideal, yes. :) But it's sadly not the case.

Every six months when we prepare a new release, we incorporate newer
OpenSSL packages, and it's astonishing how often things are broken,
either ABI breaks or regressions introduced in newer versions. OpenSSL
upstream's QA process is perhaps not as tuned to discovering this as our
processes are. (This makes sense -- they maintain one package that uses
OpenSSL. We maintain hundreds that use OpenSSL.)

We see enough breaks that we're in no hurry to ship OpenSSL's upstream
releases on their schedule. We'll continue to backport security fixes as
they are prepared and after they pass our QA process.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1649657

Title:
  OpenSSL version is not dependable

Status in openssl package in Ubuntu:
  Invalid

Bug description:
  Greetings!

  Is there any reason why Ubuntu 14.04 LTS openssl version is still
  1.0.1f?

  From https://www.openssl.org/news/openssl-1.0.1-notes.html there have
  been a lot of patches since that version. In fact this critical patch
  https://www.openssl.org/news/vulnerabilities.html#2016-6304 is only
  available in latest version OpenSSL 1.0.1u [22 Sep 2016].

  I run the below:
  sudo apt-get update
  sudo apt-get install openssl libssl-dev
  openssl version -a

  And I got:
  $ openssl version -a
  OpenSSL 1.0.1f 6 Jan 2014
  built on: Fri Sep 23 12:19:57 UTC 2016
  platform: debian-amd64
  options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) 
  compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
  OPENSSLDIR: "/usr/lib/ssl"

  Does this mean that 4 hours and 10 minutes ago 1.0.1f was rebuilt?

  Best,
  - Nestor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1649657/+subscriptions

More information about the foundations-bugs mailing list