Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
On 07/21/2015 01:16 PM, Brad House wrote: I'm sure you're not the only one that will be needing to support 0.9.8 after the official EOL. RedHat Enterprise Linux 5 comes to mind (supported until 3/2017), so there will definitely be others providing security related patches. On the other hand, Red Hat will only backport critical security fixes to Red Hant Enterprise Linux 5 because it is in Production Phase 3. This is considerably narrower than what is currently provided by OpenSSL upstream 0.9.8. (The main problem people have with 0.9.8 right now is lack of TLS 1.1/1.2 support, and fixing that while preserving binary compatibility with 0.9.8 is quite a challenge.) -- Florian Weimer / Red Hat Product Security ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
Perhaps a good model to take would be how the Linux kernel hands ancient stable kernels. After a while, Greg K-H stops supporting a long-term stable kernel. In some cases, a volunteer will step up and continue supporting some ancient kernel. Those ancient kernels don't get all bug fixes, and not even all security fixes. What they get is up to the volunteer. In the Linux kernel case, those ancient stable kernels are listed on the front page of www.kernel.org. I sometimes fear that some people believe that all security fixes make it into, say, 2.6.32, or 3.2 or 3.4. In fact, I'm pretty sure there are cases when they don't, and one could make the case that the fact those ancient kernels are listed on the front page is a bad thing since it reduces the pressure on vendors to upgrade to something more recent and more secure. Given that OpenSSL is a security-focused product, that might be a reason why it might not be a good idea to have such kernels advertised on the front page. But certainly having a single community-supported ancient release is probably better than multiple independent release engineers trying to support an ancient release. Much better of course would be to get everyone to upgrade. :-) - Ted ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] 0.9.8 support after 31 Dec 2015
Hi, You announced (https://www.openssl.org/about/releasestrat.html) that 0.9.8* versions of OpenSSL will be EOL on 31 Dec 2015. Although I do understand this generation is getting old and support needs to be ceased at some point, could we (0.9.8 users!) expect patch suggestions from the community on potential vulnerabilities found in 2016, in a best effort approach of course, without any official release? This would let us patch, build on our OS, test and potentially keep fixing security issues on historical users... Thanks a lot in advance for your answer, Regards, Vincent MAURY CTO - Chief Technology Officer Mobile : +33 6 27 00 39 02 Direct: +33 1 46 20 96 14 vma...@denyall.commailto:vma...@denyall.com [DenyAll Security Solutions]http://www.denyall.com/signature/ Nouvelle Adresse - New Address : 6 Avenue de la Cristallerie, 92310 Sèvres, France Main: +33 1 46 20 96 00 - Fax: +33 1 46 20 96 02 - www.denyall.comhttp://www.denyall.com/ [Linkedin]http://www.linkedin.com/company/denyall?trk=top_nav_home [Twitter] https://twitter.com/DenyAllSecurity [Youtube] http://www.youtube.com/DenyAllSecurity [Facebook] https://www.facebook.com/pages/DenyAll-Security-Solutions/382998288477013?ref=hl [Google+] http://plus.google.com/113029453691097906841?prsrc=3 attachment: image001.gif image012.png Description: image012.png image013.png Description: image013.png image014.png Description: image014.png image015.png Description: image015.png image016.png Description: image016.png ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
Yes of course. But will the dev team suggest backports on this unofficial branch? Can I reasonably expect fixes? -Message d'origine- De : openssl-dev [mailto:openssl-dev-boun...@openssl.org] De la part de Salz, Rich Envoyé : mardi 21 juillet 2015 13:04 À : openssl-dev@openssl.org Objet : Re: [openssl-dev] 0.9.8 support after 31 Dec 2015 could we (0.9.8 users!) expect patch suggestions from the community on potential vulnerabilities found in 2016, in a best effort approach of course, without any official release? The best thing to do will probably be to fork the branch into a new repository on github and work there. We will not be checking anything into the official stable branch. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
Rich, I think he was asking if the OpenSSL team would say if a new vulnerability affected 0.9.8 after support has ended. On Jul 21, 2015, at 7:04 AM, Salz, Rich rs...@akamai.com wrote: could we (0.9.8 users!) expect patch suggestions from the community on potential vulnerabilities found in 2016, in a best effort approach of course, without any official release? The best thing to do will probably be to fork the branch into a new repository on github and work there. We will not be checking anything into the official stable branch. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
could we (0.9.8 users!) expect patch suggestions from the community on potential vulnerabilities found in 2016, in a best effort approach of course, without any official release? The best thing to do will probably be to fork the branch into a new repository on github and work there. We will not be checking anything into the official stable branch. I'm sure you're not the only one that will be needing to support 0.9.8 after the official EOL. RedHat Enterprise Linux 5 comes to mind (supported until 3/2017), so there will definitely be others providing security related patches. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
could we (0.9.8 users!) expect patch suggestions from the community on potential vulnerabilities found in 2016, in a best effort approach of course, without any official release? The best thing to do will probably be to fork the branch into a new repository on github and work there. We will not be checking anything into the official stable branch. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
That's a pretty clear answer. Thank you very much for your reactiveness. Vincent -Message d'origine- De : openssl-dev [mailto:openssl-dev-boun...@openssl.org] De la part de Erwann Abalea Envoyé : mardi 21 juillet 2015 13:18 À : openssl-dev@openssl.org Objet : Re: [openssl-dev] 0.9.8 support after 31 Dec 2015 Bonjour, Le 21 juil. 2015 à 13:11, Vincent Maury vma...@denyall.com a écrit : Yes of course. But will the dev team suggest backports on this unofficial branch? Can I reasonably expect fixes? *Suggest* backports, that may or may not be reasonable, depending on growing difference between 0.9.8 and head version at the time of vulnerability detection. *Expect* fixes, this seems incompatible with an EOL decision. -Message d'origine- De : openssl-dev [mailto:openssl-dev-boun...@openssl.org] De la part de Salz, Rich Envoyé : mardi 21 juillet 2015 13:04 À : openssl-dev@openssl.org Objet : Re: [openssl-dev] 0.9.8 support after 31 Dec 2015 could we (0.9.8 users!) expect patch suggestions from the community on potential vulnerabilities found in 2016, in a best effort approach of course, without any official release? The best thing to do will probably be to fork the branch into a new repository on github and work there. We will not be checking anything into the official stable branch. Cordialement, Erwann Abalea ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
But will the dev team suggest backports on this unofficial branch? Can I reasonably expect fixes? Anything is possible, but I would be very surprised. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
Bonjour, Le 21 juil. 2015 à 13:11, Vincent Maury vma...@denyall.com a écrit : Yes of course. But will the dev team suggest backports on this unofficial branch? Can I reasonably expect fixes? *Suggest* backports, that may or may not be reasonable, depending on growing difference between 0.9.8 and head version at the time of vulnerability detection. *Expect* fixes, this seems incompatible with an EOL decision. -Message d'origine- De : openssl-dev [mailto:openssl-dev-boun...@openssl.org] De la part de Salz, Rich Envoyé : mardi 21 juillet 2015 13:04 À : openssl-dev@openssl.org Objet : Re: [openssl-dev] 0.9.8 support after 31 Dec 2015 could we (0.9.8 users!) expect patch suggestions from the community on potential vulnerabilities found in 2016, in a best effort approach of course, without any official release? The best thing to do will probably be to fork the branch into a new repository on github and work there. We will not be checking anything into the official stable branch. Cordialement, Erwann Abalea ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 0.9.8 support after 31 Dec 2015
I think he was asking if the OpenSSL team would say if a new vulnerability affected 0.9.8 after support has ended. No. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev