magicbus wrote:
bwanshoom wrote:
... If you didn't update openssl in more than 2 years you were missing many vulnerability fixes. Security software updates are generally pretty important.
You might think that but OpenSSL isn't Windows or OSX. I would venture a ballpark guess that 95+ percent of the changes are additional features and 99% of the remaining 5% concern specific features and their usage. The remaining .05% are fixes like correcting bugs introduced by the addition of a new feature (think heartbleed bug here).
The cost to properly test software is high and it is cheaper and safer to analyze the impact of not updating than it is to blindly update, test, and release.
Dave
I based my response on the list of vulnerabilties from openssl
listed here. It appears there were at least 9 security vulnerabilities resolved in the past 2 years not including Heartbleed. While what you say is true for most software, openssl is pretty much all security or security-related.
