[openssl-users] Applying security patches to 0.9.8a

Matt Caswell matt at openssl.org
Tue Apr 17 22:50:52 UTC 2018



On 17/04/18 23:36, Rob Marshall wrote:
> Hi,
> 
> The OS is SLES 10 SP3 and there are currently close to 80 binaries
> that appear to use libssl.so.0.9.8. They are from a bunch of different
> packages, so I would imagine that updating to anything more recent
> than 0.9.8 would be a major hassle and possibly not even possible.
> 
> I did find openssl-0.9.8zh.tar.gz which was last modified in 2015
> which is way better than 0.9.8a which hasn't been touched since 2005.
> I'm trying to install 0.9.8zh now to see if that works.
> 
> But I know someone is going to ask: Can you apply all of the newer
> security fixes to 0.9.8zh? So I'll ask...can I?

Quick answer:

No

Longer answer:

You would have to analyse all of the security issues that have occurred
between the final release of 0.9.8 and the most up to date release of
1.0.2 (the oldest currently supported release). For each one you would
have to determine whether it is applicable to the 0.9.8 release and
then, if it is, backport it, which is likely to mean making a number of
changes to the patch. You're only going to be protected for that
security issue if you manage it without screwing up somewhere.

This is a *huge* amount of work. Do-able in theory. In practice - don't
bother.


Matt




> 
> Thanks,
> 
> Rob
> 
> On Tue, Apr 17, 2018 at 6:22 PM, Salz, Rich via openssl-users
> <openssl-users at openssl.org> wrote:
>>>    I have an application that runs on an old OS that currently has
>>     OpenSSL 0.9.8a
>>
>> So you should be able to compile and install the last 0.9.8 release, https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zc.tar.gz  Note that this is more than two years old.  Many fixes have happened since then.
>>
>> Good luck.
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list