Follow Slashdot stories on Twitter


Forgot your password?
Communications Encryption Open Source Security Software The Internet Upgrades

No More Security Fixes For Older OpenSSL Branches ( 60

itwbennett writes: The OpenSSL Software Foundation has released new patches for the popular open-source cryptographic library, but for two of its older branches, OpenSSL 1.0.0t and 0.9.8zh, they will likely be the last security updates because support for these these two branches will end on Dec. 31. Previous research has shown that many companies using in-house built software keep poor records of which library versions their developers used in which of their applications. 'This makes it very likely that some systems and applications with OpenSSL 0.9.8 and 1.0.0 will never be updated, leaving them exposed to any critical vulnerabilities found in the library in the future,' writes Lucian Constantin.
This discussion has been archived. No new comments can be posted.

No More Security Fixes For Older OpenSSL Branches

Comments Filter:
  • []

    So one bug was in code deemed dodgy in external peer-review and the other was in code not really needed. Right.

  • Distros that still use older versions (like Ubuntu LTS) can backport patches by themselves. Shouldn't be much of a problem. Ah, the beauty of free software. :)
    • There is no Ubuntu LTS using one of the unsupported branches. Ubuntu 10.04 was the last one using the 0.9.8 branch and Ubuntu dropped support for it in April. Ubuntu 12.04 and 14.04 uses the 1.0.1 branch which is still supported by upstream.
    • I think OpenSSL might be a special case here. By an odd coincidence I was watching the OpenBSD devs talks on LibreSSL yesterday and they actually covered backporting fixes from OpenSSL. [] - See the section title "apply the brakes". (for those interested, the slides here are from this video: [])

      My overall impression is that the OpenSSL developers don't really make peoples lives easy when it comes to backport

    • by ledow ( 319597 )

      Nobody's done that properly for Python 2.7 SSL libraries, for instances.

      They just disabled certain functions which break a lot of, say, Python programs auto-updating from Github SSL sites. Fixes for several bits of software affected by this (e.g. Emscripten) just say "modify the source program, modify your python library to skip those bits, or put in massive function overrides for those functions to make it always enable a certain option".

      Getting Emscripten to install/update/pull down new libraries when yo

Fear is the greatest salesman. -- Robert Klein