openssl stuck at version 0.9.8q

[jacs]

Why is openssl stuck at openssl-0.9.8q in the core of FreeBSD 8.2 and 9.0? There are a number of security issues with 0.9.8q addressed in 0.9.8r and now 0.9.8s yet have not made it into the stable releases?

Thanks

Chris

 

[SirDice]

As far as I know those issues have been patched in the supplied openssl.

You can always install security/openssl.

 

[jacs]

Thanks for the reply. If the source tree has been patched then the version number has not been bumped up.

CMD>openssl version

OpenSSL 0.9.8q 2 Dec 2010

Regarding http://www.freshports.org/security/openssl. I am not keen on having two different versions of openssl installed on the same machine and I understand from postings on the net that there are compatibility issues with the 1.0.0 branch.

I have to sort it though as our server gives a PCI compliance failure over this issue.

 

[SirDice]

I have to sort it though as our server gives a PCI compliance failure over this issue.

That means it uses a rather 'dumb' way of checking. Apparently it only looks at the version strings and not at the specific vulnerabilities.

If I'm not mistaken Red Hat does the same thing on their systems. They backport the security fix and don't update the version numbers.