On Wed, Sep 07, 2016 at 11:51:20AM -0400, Genes Lists via arch-general wrote:
> openssl - Arch has 1.0.2.h - Out of date as of 8/25/2016
> - 1.1.0 was released upstream on 8/25/2016
This one is a most difficult case.
a) 1.0.2.h is still a supported LTS release, so in terms of security
this is not a huge problem.
b) Even if a program compiles against 1.1.0, it still needs to be
verified if that program has been updated for 1.1.0 because of
subtle API breakage (functions behaving differently, suddenly
returning values that need to be checked, etc).
c) Even Some major software packages do not support 1.1.0 yet [1].
In the light of the latter two points, a number of packages using
OpenSSL needs to be reviewed carefully. I'm sure the package maintainer
is aware of this, so some waiting is inevitable and understandable.
--
[1] https://bugs.python.org/issue26470
