On Wed, Sep 07, 2016 at 11:51:20AM -0400, Genes Lists via arch-general wrote:
openssl - Arch has 1.0.2.h - Out of date as of 8/25/2016 - 1.1.0 was released upstream on 8/25/2016
This one is a most difficult case. a) 1.0.2.h is still a supported LTS release, so in terms of security this is not a huge problem. b) Even if a program compiles against 1.1.0, it still needs to be verified if that program has been updated for 1.1.0 because of subtle API breakage (functions behaving differently, suddenly returning values that need to be checked, etc). c) Even Some major software packages do not support 1.1.0 yet [1]. In the light of the latter two points, a number of packages using OpenSSL needs to be reviewed carefully. I'm sure the package maintainer is aware of this, so some waiting is inevitable and understandable. -- [1] https://bugs.python.org/issue26470