OopSSL: Pushme-Pullyou for OpenSSL patches

The OpenSSL Project released its promised updates last week and, almost immediately, had to try again because of errors in the release.

The bugs fixed in the release include three moderate-level issues and one low-severity bug. They include denial-of-service vulnerability by crashing OpenSSL clients during certificate verification.

The fixes apply to OpenSSL 0.9.8zh, 1.0.0t, 1.0.1q and 1.0.2e branches. The 1.0.0 and 0.9.8 branches have been on OpenSSL's end-of-life list since December 2014, and the advisory notes that these will be the last fixes those two builds receive.

However, the OpenSSL maintainers were the targets of criticism from users after they discovered a mistake in the packages and re-issued the tarballs, without changing the version numbers.

Pardon, your slip is showing: OpenSSL announces the fix fixes on Twitter

One error was minor: a fix in OpenSSL 1.0.2 for CVE-2015-1794 wasn't documented. However, there were also missing files that stopped the updates from building, which led the group announcing the new versions on Twitter.

Not everyone was impressed that the maintainers simply kept the versions the same and re-issued the patches.

OpenSSL release today was broken. Instead of bumping the version they’re refreshing the tarballs to include missing files. OMFG OPENSSL WTF

— Bryan HorstmannAllen (@bdha) December 3, 2015

In OpenSSL's defence, The Register would remark that nobody installing a package that wouldn't build could be misled into thinking they'd successfully updated.

Sysadmins will also have to watch their vendor security advisories, since the OpenSSL bugs will be scattered around all sorts of kit. Indeed, the likes of Cisco are already offering fixes. ®