Comment 1 Jeroen Roovers (RETIRED) 2014-08-08 14:31:23 UTC

The upstream ChangeLog doesn't list any reason for an urgent stabilisation, barring the OpenSSL security bug that only affects their Windows binaries.

Stable for HPPA.

Comment 2 Agostino Sarubbo 2014-08-08 15:28:35 UTC

If we don't use a bundled version of openssl, then there is no update for us.

Comment 3 Anthony Basile 2014-08-09 12:40:40 UTC

(In reply to Jeroen Roovers from comment #1)
> The upstream ChangeLog doesn't list any reason for an urgent stabilisation,
> barring the OpenSSL security bug that only affects their Windows binaries.
> 
> Stable for HPPA.

Correct, but in src/ctx.c they relaxed a precompiler condition which looks like it might be for enhanced security:

-#if defined(USE_WIN32) || OPENSSL_VERSION_NUMBER>=0x0090700fL
+#if OPENSSL_VERSION_NUMBER>=0x0090700fL
     SSL_CTX_set_default_passwd_cb(section->ctx, password_cb);
 #endif

I can't make sense if this is related to any of the stuff in the openssl security advisory: https://www.openssl.org/news/secadv_20140806.txt.  So I erred on the side of caution.

Comment 4 Anthony Basile 2014-08-09 12:41:23 UTC

(In reply to Agostino Sarubbo from comment #2)
> If we don't use a bundled version of openssl, then there is no update for us.

That's not what's going on here.  See my previous comment.

Comment 5 Anthony Basile 2014-08-12 22:21:24 UTC

stable on ppc, ppc64 and arm.

Comment 6 Anthony Basile 2014-09-22 11:10:06 UTC

stable amd64/x86

Comment 7 Anthony Basile 2014-11-17 12:18:04 UTC

@remaining arch teams: please start work on bug #528004