To support my prior comment, FreeBSD are quite clear about it (see below explicit statement on one of their previous Security Advisories) and I expect it to be the same with Debian and any other FOSS operating system.
Security Advisory FreeBSD-SA-20:33.openssl CVE-2020-1971: "However, the OpenSSL project is only giving patches for that version to premium support contract holders. The FreeBSD project does not have access to these patches" On Wednesday, 26 June 2024 at 13:01, Lucas Rolff via dovecot <dovecot@dovecot.org> wrote: > That Debian doesn't patch their LTS releases properly like other operating > systems, should probably be brought up with the Debian release and security > teams. > > Sent from Outlook for iOShttps://aka.ms/o0ukef > > ________________________________ > From: Laura Smith via dovecot dovecot@dovecot.org > > Sent: Wednesday, June 26, 2024 1:31:48 PM > To: Aki Tuomi aki.tu...@open-xchange.com > > Cc: Laura Smith via dovecot dovecot@dovecot.org; Michael m...@hemathor.de > > Subject: Re: Debian Bookworm packages, please ! > > The fundamental problem here is that this turns into a security problem, > which in 2024 is not a nice thing to have. > > Yes, theoretically I could run the previous Debian release, 11 Bullseye which > is now EOL but in LTS until 2026. > > However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches > delivered by Debian are based on public patches, so basically there will be > no OpenSSL patches because OpenSSL moved 1.1.1 to premium support only, > INCLUDING security patches, as described on their website ("It will no longer > be receiving publicly available security fixes after that date") > https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html. > > Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3 > package. "be careful it's broken" is not a warning a good sysadmin takes > lightly. > > Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024. > > Its all a bit of a mess. Its all a bit worrying. > > Meanwhile alternatives are few and far between, and I suspect Dovecot knows > that ! The Dovecot community are left between the proverbial rock and a hard > place. > > Cyrus is now dependent on the commercial goodwill of FastMail, which brings > thoughts of comparisons with Dovecot and OpenXChange. > > Stalwart, whilst extraordinarily promising, needs another year or so of > development to reach v1 and mature the code. > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
