On 08-03-18 21:22, Richard Laager wrote:
>> Can't we simply enforce a reasonable level? (e.g. maximum of XX months
>> old version of openssl)
>
> Probably not, as backported fixes for particular issues will not
> increment the version number.
But fixes by the openssl team /will/ increment the
On 08-03-18 10:57, Richard Laager via devel wrote:
> On 03/08/2018 01:40 AM, Udo van den Heuvel via devel wrote:
>> Why wouldn't we require a certain openssl version as there are a number
>> of security vulnerabilities in (older) openssl?
>
> Isn't this potentially the case with any dependency?
devel@ntpsec.org said:
> Why wouldn't we require a certain openssl version as there are a number of
> security vulnerabilities in (older) openssl?
Do you have a pointer to a list of the insecure versions with a summary of
the bug so we can see if we use that feature?
--
These are my
Hello,
I noticed the commit at
https://gitlab.com/NTPsec/ntpsec/commit/6d17955b03ca65d67f2cc2ceba01bd60e07d5fd4
and have a question regarding this:
Why wouldn't we require a certain openssl version as there are a number
of security vulnerabilities in (older) openssl?
Kind regards,
Udo