I was recently asked why Stratus was not providing security updates for customers running OpenSSL on releases of VOS prior to 17.0, when we are still providing updates to customers running OpenSSL on VOS 14.7 on Continuum. On the face of it, this seems like an inconsistent policy. Since OpenSSL is one of the most security-sensitive products that we offer for the VOS operating system, it is important to understand how we manage it.
First, a brief review of the versions of OpenSSL that we have offered, or still offer.
1. OpenSSL for VOS Release 1.0, based on Version 0.9.7c, Continuum platform, Base release VOS 14.7, released January 2005; OpenSSL 0.9.7c dates from September 2003.
2. OpenSSL for VOS Release 2.0, based on Version 0.9.7e, V Series platform, Base release VOS 15.1, released August 2005; OpenSSL 0.9.7e dates from October 2004.
3. OpenSSL for VOS Release 1.1, based on Version 1.0.0, Continuum platform, Base release VOS 14.7, released May 2011; OpenSSL 1.0.0 dates from March 2010.
4. Internet Security Pack for OpenVOS Release 2.1 (contains OpenSSL), based on Version 1.0.0, Base Release OpenVOS 17.0, released May 2011.
5. OpenSSL for VOS Release 1.1.1, based on Version 1.0.0k, Continuum platform, Base release VOS 14.7, released March 2014; OpenSSL 1.0.0k dates from February 2013.
6. Internet Security Pack for OpenVOS Release 2.1.1c (contains OpenSSL), based on Version 1.0.0k, V Series platform, Base release OpenVOS 17.0, released March 2014.
Note that the product was first released in 2005, updated in 2001, and updated again earlier this year. When we update the product, we refresh the entire source code base to the current version that has been released by the authors. This incorporates all new features, bug fixes, and security patches. In between these major updates, we only apply security patches, corrections to porting issues, or (occasionally) important bug fixes.
We have been diligent about monitoring the OpenSSL mailing list to learn of the release of security patches. We immediately set out to create a new bug-fix release containing those changes, and we make it available for download at http://openvos1.stratus.com. The file “openssl_RELEASE_updates.memo” contains the list of security fixes that we have applied (where the string RELEASE should be replaced by the release name; e.g., 1.1.1).
But we only update the most current version, which is now Releases 1.1.1 and 2.2.1.
Customers who are not accustomed to using open-source software may not understand why we do not apply security patches to older, previous releases. The open-source community behaves pretty responsibly with respect to making security patches available, but they do not generally go back in time for very many releases. Partially, this is because they put out many more releases that we (Stratus VOS) put out. Partially, it is because they operate in a world where customers upgrade the entire package (via RPM, APT, or YUM), and do so quite easily. We have no control over them, and we have no control over how far they go back. We don’t know their code, either, and this is a very important point. If they do not provide a bug fix or security patch for an old version, it is highly unlikely that we can craft an accurate patch on our own.
Therefore, we have chosen to update the most current releases of our open-source products when we get security fixes. Even then, we sometimes have to update the entire source code base, rather than take just a patch. This is why we just refreshed the source code base for OpenSSL 1.1.x/2.1.x in March for this very reason. OpenSSL 1.1.x and 2.1.x use identical source code; only the compilation options are different. This was a deliberate decision on our part to simplify the task of maintaining the two releases.
Customers who are on the previous releases of OpenSSL (1.0 and 2.0) are using software that is 11 and 10 years old, respectively. We released their successor products in May, 2011. So, our customers have had 3 years to upgrade to current, fully-supported releases of VOS and of these layered products. Surely that is plenty of time for any customer. True, this means that customers who wish to avoid bugs like “Heartblead” must keep up with VOS Releases, too, as OpenSSL 2.1.x requires a base release of at least OpenVOS 17.0. I’d argue that keeping up with current revisions of software is a basic function of any shop. In the open-source world, it is more important than ever.
If you have any questions or concerns about this, please contact Stratus Customer Service, or your Account Executive.