On 17/04/18 23:36, Rob Marshall wrote: > Hi, > > The OS is SLES 10 SP3 and there are currently close to 80 binaries > that appear to use libssl.so.0.9.8. They are from a bunch of different > packages, so I would imagine that updating to anything more recent > than 0.9.8 would be a major hassle and possibly not even possible. > > I did find openssl-0.9.8zh.tar.gz which was last modified in 2015 > which is way better than 0.9.8a which hasn't been touched since 2005. > I'm trying to install 0.9.8zh now to see if that works. > > But I know someone is going to ask: Can you apply all of the newer > security fixes to 0.9.8zh? So I'll ask...can I? Quick answer: No Longer answer: You would have to analyse all of the security issues that have occurred between the final release of 0.9.8 and the most up to date release of 1.0.2 (the oldest currently supported release). For each one you would have to determine whether it is applicable to the 0.9.8 release and then, if it is, backport it, which is likely to mean making a number of changes to the patch. You're only going to be protected for that security issue if you manage it without screwing up somewhere. This is a *huge* amount of work. Do-able in theory. In practice - don't bother. Matt > > Thanks, > > Rob > > On Tue, Apr 17, 2018 at 6:22 PM, Salz, Rich via openssl-users > <openssl-users@xxxxxxxxxxx> wrote: >>> I have an application that runs on an old OS that currently has >> OpenSSL 0.9.8a >> >> So you should be able to compile and install the last 0.9.8 release, https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zc.tar.gz Note that this is more than two years old. Many fixes have happened since then. >> >> Good luck. >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
