Upstream has issued an advisory today (February 26):
It contains this note:
OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.
Both OpenSSL versions in Cauldron will be EOL this year. We should drop the compat-openssl10 package and migrate the openssl package to 1.1.1.
Assigning to neoclust, because he is the registered maintainer of compat-openssl10 and there's no registered maintainer of openssl
Source rpm list for packages still using oldest 1.0.x:
There might be more pkgs BR'ing openssl 1.0.x, but mentioned pkgs uses the libs from it.
Python 2.7.16 is compatible with OpenSSL 1.1.x:
Just a reminder that nothing has been done with this yet.
OpenSSL 1.1.0 will be EOL in a few hours, and 1.0.2 will be in a few months...
Is it possible to have OpenSSL 1.1.1 just for apache, along with 1.1.0 and 1.0.2?
It is important with support considering (31 October 2019):
Elliptic curve implementations vulnerable to Minerva timing attack
That would be highly undesirable. It's bad enough we already have to support two versions. We need to get rid of at least one of the current ones.
I agree. A Cloudflare Blog explains why TLS 1.3 has been a long time on the way because the implementation in OpenSSL 1.1.1 had to be compatible with OpenSSL 1.1.0:
OpenSSL: All users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as possible.
The transition 1.1.0 -> 1.1.1 should accordingly be easy, unless there are some hidden problems with e.g. the gcc compiler. OpenSSL 1.0.x is another matter, as the long list above shows.