[openssl-dev] 1.0.1t ?
Salz, Rich
rsalz at akamai.com
Wed Mar 23 16:47:24 UTC 2016
> 1.0.1t does not currently have a planned release date. Releases are
> scheduled on an as-needed basis, typically (although not always) as a result
> of security defects being discovered. We normally only announce a release
> date for security fixes a few days in advance.
And note that 1.0.1 is on a security-fixes-only state.
> > Disabling SSLv2 in a default build will break applications we have
> > released that depended on SSLv2 by default like release 2.2.29 of
> > Apache’s httpd.
> >
> > We can change our SSL build but would rather have fixes in an official
> > release.
Yes, we broke compatibility in our desire to make sure everyone was "safe" from the attack. Sorry about that; we'll fix it next time a security patch for 1.0.1 comes out.
One approach is to look at the branch in our GIT repo's and cherry-pick the fix to your release for now.
More information about the openssl-dev
mailing list