On Fri, Dec 03, 2010 at 09:50:49AM -0500, Erik Tkal wrote:
> That's a pretty bold statement and doesn't always apply in a product
> environment.
I have a production environment. The non-security issues in the unpatched
1.0.0b release create substantial interoperability issues with servers
and clients that support EECDH key agreement. These issues are more
severe than the CVEs fixed in either 1.0.0b or 1.0.0c. Therefore, if you
have deployed 1.0.0b, you really must IMHO upgrade to 1.0.0c.
> I have not deployed 1.0.0b (because of the pending issues); I'm still
> at 1.0.0a and have to decide whether to patch the vulnerabilities,
> or risk updating OpenSSL completely and retesting all of its consumers.
Starting with 1.0.0, the stable release gets no new features, just bug
fixes, so backporting just the CVE patches is not necessary, you can
just deploy 1.0.0c shared libraries (and include files) in the locations
where your previously had 1.0.0a libraries (and include files).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
