Hi, On 2014-09-09 04:47, Maxim Dounin wrote:
What make you think that there are any vulnerabilities? As far as I know, OpenSSL 0.9.7* (the oldest branch nginx currently supports compilation with) is still commercially supported as a part of at least one OS, and will be supported till 2017.
Indeed. For example, OpenSSL before 1.0.1 (including the 0.9.8 and 0.9.7 branches) were not vulnerable to Heartbleed. New versions bring new features which may also open room for new vulnerabilities. What's important is that long term distributions continue backport vulnerability fixes.
We'll probably bump this to 0.9.8 once we'll get bored with 0.9.7 compatibility, but that's all we can do now without introducing a lot of trouble: various major OSes are shipped with 0.9.8*, and 0.9.8 branch is still supported by OpenSSL.
That would make sense. 0.9.7 isn't officially supported anymore (i.e. it's completely up to long term distributions to backport fixes). 0.9.8 however still is, with the latest version being 0.9.8zb that was just released last month.
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
