Hi, Am 29.04.16 um 21:28 schrieb David Hollenberg: > Will the OpenSSL 1.0.1s package be released? > > I noticed that OpenSSL 1.0.1s has blocking bugs. Looks like there is some > concern that removal of SSL2 will break some things. > > We don't need 1.0.1s, but the OpenSSL project has announced version 1.0.1t > to be released on May 3. It has fixes for some high impact security bugs > so we hope to get that version soon after it is released.
1.0.1t is in unstable now. And 1.0.1s in testing yesterday (bad timing :) Sorry for the delay. With 1.0.1t they did the right thing which they should have done in the first place. Not remove the sslv2 functions but just return NULL if you disabled sslv2. So applications will not explode crash or whatever. Just will not be able to start a session. I will probably push 1.0.1t faster to testing as 1.0.1s is broken from my point of view. Greetings Jan
