Thank you, Tobias. That's not great from a visibility point of view, for example I was under the strong impression that Ubuntu was still using 3.0.13 - there are no immediate signs that it is otherwise and led me to create this bug report.
What would be better if the version reported was "3.0.13 plus patches" and there was some link included in the package to a page showing which patches are applied. I can understand why Ubuntu would not just adopt versions completely and prefer partial security, but I would have thought with adequate testing it would be fine to adopt a patch version 17 over 13. Looking at the difference log between those two versions it seems to be all about bug fixes, CVEs and small improvements rather than any major functional differences. To change APIs on a patch level would be very unusual for any software. Anyway, good to know that Ubuntu 24.04 is on top of CVEs in OpenSSL, even though the version in use might indicate otherwise. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2125752 Title: OpenSSL package in Ubuntu 24.04 needs updating To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2125752/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
