[Discussion] OpenSSL 1.1.1 support in Debian Buster and Bullseye

[sanal]

OpenSSL 1.1.1 public EOL date is Sep 2023. Post that, what is the plan for Debian (buster and bullseye) to provide the support for OpenSSL 1.1.1? Asking this to take the call on whether to upgrade to bookworm .

[Aki]

Hello,

OpenSSL 1.1.1 public EOL date is Sep 2023. Post that, what is the plan for Debian (buster and bullseye) to provide the support for OpenSSL 1.1.1? Asking this to take the call on whether to upgrade to bookworm .

You can find EOL (End Of Life) dates for Debian releases at [1]:

Version 11
Bullseye (currently stable)
Release date: 2021-08-14
EOL date: ~2024-07

Version 10
Buster (currently old stable)
Release date: 2019-07-06
EOL date: 2022-09-10

Debian Stable and Old-Stable (previous stable) releases only receive security updates and its packages are kept at the stable release version.

---
[1] https://wiki.debian.org/it/DebianReleases

[sanal]

@Aki Thanks. We have LTS contract for Buster till June 2024. As OpenSSL provides premium support for OpenSSL 1.1.1 post Sep, 2023, believe that we will get security updates till LTS support date.

[valentijn77]

Debian Stable and Old-Stable (previous stable) releases only receive security updates and its packages are kept at the stable release version.

---
[1] https://wiki.debian.org/it/DebianReleases

I think the question is more if Debian has access to any future security updates/patches for OpenSSL 1.1.1 which would lead to security updates for OpenSSL 1.1.1 in buster & bullseye during the support periods you referred to.

[Aki]

Debian Stable and Old-Stable (previous stable) releases only receive security updates and its packages are kept at the stable release version.

---
[1] https://wiki.debian.org/it/DebianReleases

I think the question is more if Debian has access to any future security updates/patches for OpenSSL 1.1.1 which would lead to security updates for OpenSSL 1.1.1 in buster & bullseye during the support periods you referred to.

You can see here current situation at the time of this post:

• https://tracker.debian.org/pkg/openssl

It is the following:

Code: Select all

versions
    o-o-stable: 1.1.1n-0+deb10u3
    o-o-sec: 1.1.1n-0+deb10u6
    oldstable: 1.1.1n-0+deb11u4
    old-sec: 1.1.1n-0+deb11u5
    old-p-u: 1.1.1v-0~deb11u1
    stable: 3.0.9-1
    stable-p-u: 3.0.10-1~deb12u1
    testing: 3.0.10-1
    unstable: 3.0.10-1
    exp: 3.1.2-1

Therefore, the 1.1.1 is currently supported only in old-stable with EOL date: ~2024-07 and it seems it is still updated in old-old-stable (even if EOL date: 2022-09-10) by the LTS Security Team.

It is not available from Debian stable and following releases.

[valentijn77]

You can see here current situation at the time of this post:

• https://tracker.debian.org/pkg/openssl

It is the following:

Code: Select all

versions
    o-o-stable: 1.1.1n-0+deb10u3
    o-o-sec: 1.1.1n-0+deb10u6
    oldstable: 1.1.1n-0+deb11u4
    old-sec: 1.1.1n-0+deb11u5
    old-p-u: 1.1.1v-0~deb11u1
    stable: 3.0.9-1
    stable-p-u: 3.0.10-1~deb12u1
    testing: 3.0.10-1
    unstable: 3.0.10-1
    exp: 3.1.2-1

Therefore, the 1.1.1 is currently supported only in old-stable with EOL date: ~2024-07 and it seems it is still updated in old-old-stable (even if EOL date: 2022-09-10) by the LTS Security Team.

It is not available from Debian stable and following releases.

Thank you. But those updates are based on the public patches of OpenSSL 1.1.1, released before the EOL date.
I would expect those patches in old-(old-)stable to continue, but can't find any explicit information stating this will be the case.