No More Security Fixes For Older OpenSSL Branches

itwbennett writes: The OpenSSL Software Foundation has released new patches for the popular open-source cryptographic library, but for two of its older branches, OpenSSL 1.0.0t and 0.9.8zh, they will likely be the last security updates because support for these these two branches will end on Dec. 31. Previous research has shown that many companies using in-house built software keep poor records of which library versions their developers used in which of their applications. 'This makes it very likely that some systems and applications with OpenSSL 0.9.8 and 1.0.0 will never be updated, leaving them exposed to any critical vulnerabilities found in the library in the future,' writes Lucian Constantin.

Re:This is awful and irresponsible.

[AchilleTalon]

I don't believe the problem software will percolate up to the users' attention given the very root problem is companies using in-house software DO NOT keep track of what version of OpenSSL their own developers are using. So, even if you patch the old versions, you have absolutely no guarantee your own developers will use the patched version. So, given this, why should OpenSSL developers continue to patch OLD versions which NOBODY keeps track? Seems to me waste of time and resources that could be dedicated to the latest versions instead. It takes two to tango. The security problem is not only on the OpenSSL developers team's shoulders. My experience, is in-house developers don't give a fuck about security unless you force them, and even it that case, they are often doing it wrong.