[openssl-users] Applying security patches to 0.9.8a

Vitezslav Cizek vcizek at suse.com
Wed Apr 18 11:17:31 UTC 2018


Hi,

On Tue, 17 Apr 2018 18:36:09 -0400
"Rob Marshall" <rob.marshall17 at gmail.com> wrote:

> The OS is SLES 10 SP3 and there are currently close to 80 binaries
> that appear to use libssl.so.0.9.8. They are from a bunch of different
> packages, so I would imagine that updating to anything more recent
> than 0.9.8 would be a major hassle and possibly not even possible.
> 
> I did find openssl-0.9.8zh.tar.gz which was last modified in 2015
> which is way better than 0.9.8a which hasn't been touched since 2005.
> I'm trying to install 0.9.8zh now to see if that works.
> 
> But I know someone is going to ask: Can you apply all of the newer
> security fixes to 0.9.8zh? So I'll ask...can I?

Of course you can.
But all the patches will fail to apply automatically, at least because
of the recent source code reformat. You'll have to do it by hand.

The good news is that most of the security vulnerabilities wouldn't
affect 0.9.8a. Many were introduced in the newer functionality, such as
elliptic curves, DTLS or new asm implementations.

Btw, SUSE is still maintaining SLE-10 (and backporting all the
security fixes) for some customers.
If you have access to the support channels, perhaps you can ask them.

-- 
Vítězslav Čížek             Emergency Update Team (EMU)
"Whilst you sleep, we're probably saving the universe."


More information about the openssl-users mailing list