ROS 6, OpenSSL, and package updates?

StephenB wrote:
The bug fixes started rolling out yesterday (7 April 2014), so if you haven't updated OpenSSL manually you are not secure.

That is correct.

StephenB wrote:
I am also confused on how 1.0.1e-2+deb7u5 and 1.0.1e-2+deb7u6 relate to 1.0.1g.

OpenSSL is its own project; it released 1.0.1e a year ago. Shortly thereafter, the Debian project maintainers incorporated it into their Linux distro.

The OpenSSL project released 1.0.1g yesterday, and the Debian project will undoubtedly incorporate that version into the next release of Debian Linux. But it would be imprudent for them to update the earlier, already-released versions of Debian (like "Wheezy", the version used by the ReadyNAS OS6 devices) to 1.0.1g without significant testing, because over the last year many other changes were made between 1.0.1e and 1.0.1g. That testing would take a lot of time, but the bug is serious and should be fixed immediately.

Fortunately, the fix is very straightforward -- just a couple lines of code -- so the Debian Security team decided that it was safe to make just that one bugfix change to Wheezy's 1.0.1e (without adding any of the other changes made to Open SSL over the last year). They released the slightly-modified 1.0.1e as 1.0.1e-2+deb7u5 yesterday, then made some minor tweaks to it today and released that as 1.0.1e-2+deb7u6. Both those versions contain the crucial bugfix; the latter one also handles service-restarts better.

You can see the list of other major changes between 1.0.1e and 1.0.1g by looking at the OpenSSL release notes here: http://www.openssl.org/news/openssl-1.0.1-notes.html. I posted the Debian changelog for 1.0.1e-2+deb7u5 and 1.0.1e-2+deb7u6 in an earlier message.