component/openssl: version 1.1.1b and 1.0.2r.

component/openssl/buildout.cfg

@@ -17,8 +17,8 @@ parts =
 [openssl]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://www.openssl.org/source/openssl-1.1.0j.tar.gz
-md5sum = b4ca5b78ae6ae79da80790b30dbedbdc
+url = https://www.openssl.org/source/openssl-1.1.1b.tar.gz
+md5sum = 4532712e7bcc9414f5bce995e4e13930
 location = @@LOCATION@@
 # 'prefix' option to override --openssldir/--prefix (which is useful
 # when combined with DESTDIR). Used by slapos.package.git/obs
@@ -57,8 +57,8 @@ openssl = ${openssl:location}/bin/openssl
 [openssl-1.0]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://www.openssl.org/source/openssl-1.0.2p.tar.gz
-md5sum = ac5eb30bf5798aa14b1ae6d0e7da58df
+url = https://www.openssl.org/source/openssl-1.0.2r.tar.gz
+md5sum = 0d2baaf04c56d542f6cc757b9c2a2aac
 location = @@LOCATION@@
 # 'prefix' option to override --openssldir/--prefix (which is useful
 # when combined with INSTALL_PREFIX). Used by slapos.package.git/obs

[Julien Muchembled]

I have doubts about 1.0.2r. I recently upgraded to this version on a Debian setup (1.0.2r-1~deb9u1) and it broke software linked to 1.0.2. Reverting to 1.0.2q-2 fixed the regression. I didn't have time yet to report the issue.

[Julien Muchembled]

I bisected: it's https://github.com/openssl/openssl/pull/7856

It looks a bad idea to do anything else but security fixes for branches that have got so little attention by distributions from a functional point of view.

In SlapOS, we don't have the software I referred to. But one should rather work on dropping [openssl-1.0], rather than risking regressions.