[PATCH] SSL: guard use of all SSL options for bug workarounds
alex at zeitgeist.se
Tue Sep 9 08:11:27 UTC 2014
On 2014-09-09 04:47, Maxim Dounin wrote:
> What make you think that there are any vulnerabilities? As far as
> I know, OpenSSL 0.9.7* (the oldest branch nginx currently supports
> compilation with) is still commercially supported as a part of at
> least one OS, and will be supported till 2017.
Indeed. For example, OpenSSL before 1.0.1 (including the 0.9.8 and 0.9.7
branches) were not vulnerable to Heartbleed. New versions bring new
features which may also open room for new vulnerabilities. What's
important is that long term distributions continue backport
> We'll probably bump this to 0.9.8 once we'll get bored with 0.9.7
> compatibility, but that's all we can do now without introducing a
> lot of trouble: various major OSes are shipped with 0.9.8*, and
> 0.9.8 branch is still supported by OpenSSL.
That would make sense. 0.9.7 isn't officially supported anymore (i.e.
it's completely up to long term distributions to backport fixes). 0.9.8
however still is, with the latest version being 0.9.8zb that was just
released last month.
More information about the nginx-devel