OpenSSL version string format changed
By janp on Jan 14, 2009
$ openssl version OpenSSL 0.9.8a 11 Oct 2005 (+ security patches to 2007-10-13)
With the bold part added by us. The date was the day of the last OpenSSL security advisory, as explained in that first blog entry mentioned above. It served fairly well in that customers got information that the OpenSSL version shipped with Solaris was not an unpatched 0.9.8a.
The problem we realized later was that if those fixes get backported into Solaris 10 out of order because more OpenSSL advisories were released in a short time (that happened), the date itself is not enough. So, we decided what we already thought about when changing the version string for the first time, to include Common Vulnerabilities and Exposures (CVE) numbers directly into the version string. With my push into Nevada today, that happened. The version string looks like this now:
$ openssl version OpenSSL 0.9.8a 11 Oct 2005 (+ security fixes for: CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2007-3108 CVE-2007-4995 CVE-2007-5135 CVE-2008-5077)
Note that the whole output is actually on the same line. It might seem too long but remember that normally it's not used much. What's more important it contains all the important security information now. We didn't want to insert any line breaks since we were afraid some Configure scripts that check the OpenSSL version might get confused if we changed a one-liner into a multi-liner.
As to that we wouldn't have to do that if we upgraded to a current version of OpenSSL, that's true. However, the problem is that OpenSSL in Solaris is now part of ON consolidation and it's quite complicated to upgrade it there. I don't want to go into details but the plan is to move it to the SFW consoliation soon(TM) which should make it more easier for us to upgrade OpenSSL in a timely manner.