2

I am a very inexperienced server owner and wanted to make sure I have a fix for heartbleed.
After updating, "openssl version" still shows 1.0.1e and I wondered what to do to get a heartbleed free version. After googling I found out about "openssl version -b" and Debians "backporting policy"
Since my build is from 8.April I assume I have a fixed version.

You can find several discussions of users like me being unsettled by this.
They are essentially invalidating the significance of version numbers.
Why are they doing this?

Gilles 'SO- stop being evil'
  • 829,060
ASA
  • 121

1 Answers1

3

Debian validated that version of their operating system against all of the features in 1.0.1e. 1.0.1f added more features to openssl that have not been thoroughly tested in the Debian environment. 1.0.1g is the version with all of the 1.0.1f features and the bug fix for heartbleed. Instead of introducing those features and possible incompatibilities by using 1.0.1g, the Debian package maintainers took the source code for the validated 1.0.1e and added the heartbleed bug fix. This is what you get when doing an aptitude update.

The numbering problem is really an openssl team issue. They are apparently very hesitant to increment their version numbers in a standard way that allows for bug fix increments without extra features. Normal software development practice is to have the first digit indicate large feature changes, incrementing the second digit is done for small feature changes, and the third digit is reserved for bug fixes with no new features.

Beth Macknik
  • 31