What Debian released is an stable distribution that is going to be maintained for the next 3 or 4 years. It is better to release something stable and well tested than bleeding edge stuff.
Many people don't get Debian. This is a released aimed for servers and stable workstations. If you want or need bleeding edge stuff you can use Debian testing/unstable or Ubuntu as you suggested.
There also wasn't a lot of time before the freeze--- OpenSSL 1.0.0 was released on March 29, and the Debian "Squeeze" freeze was August 6. Dropping in a new version of OpenSSL four months before the freeze wasn't considered prudent. Even if OpenSSL itself could be tested in that time and considered rock-solid (probably possible), a lot of different packages depend on / link with OpenSSL, and linking them with a new version might expose subtle bugs or incompatibilities in those apps, which you'd want some time to notice/debug/fix, especially since it might require waiting on upstream developers to debug/fix things in their apps.
Post-release, OpenSSL 1.0.0 will now be migrated to unstable, and then any problems that causes or exposes can be found and fixed on a more generous schedule.
I agree. I use Debian not because it has the bleeding edge but because they have the most stable versions and they care about that. I love their system.
edit: the latest OpenSSL release is 1.0.0, not 1.2.2. And development on the 0.9.8-series seems to be still active, as latest version on it was released on the same day that 1.0.0c
That seems like a dumb reason to switch to Ubuntu. I'm unaware of any current software that doesn't work fine linked against the OpenSSL version in Debian. SSL/TLS is just not a rapidly moving target, and this version is still actively maintained.
I reckon I prefer stability and predictability over modernity in my encryption and signing libraries.
Well, their solution was to build OpenSSL 1.0.0 (which is stable) from source.
That was easy, but then rebuilding other components which were linked to the original v. 0.9.x was a major PITA.
This is the problem, according to the auditor:
Vulnerability in OpenSSL 0.9.8g Severity: Critical Problem CVE: CVE2008-0891 CVE-2008-1672 CVE-2008-5077 CVE-2009-0590 CVE-2009-0789 CVE-20091377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-3245 CVE-2009-3555 CVE-2010-0433 CVE-2010-0740 Impact: A remote attacker could execute arbitrary commands , cause a buffer overflow, bypass security or create a denial of service. Resolution OpenSSL shouldbe [http://www.openssl.org/source/] upgraded to 1.0.0a or higher.
Well, this ignores the reality of how most linux distributions are maintained.
Version numbers are not supposed to change after the fact in a stable-release, hence security fixes get backported (every distro has a security-team for this).
If PCI requires a less tested newer version over a battle-scarred (patched up) older one then PCI is working against its own stated goal.
It doesn't take much wisdom to realize that it's less likely for new bugs to crop up in the 0.9.8 openssl that Debian ships than in the 1.0.0c that RHEL6 bundles (just one month after release!).
New software has bugs. Old software has less bugs.
They're so far behind because they're dedicated to release only when they think it's bug-free enough (for all packages, including all dependencies), which can be long after they freeze versions and features.
Another thing is they release the same distrib version on 9 different architectures, not only i386/amd64.
Considering this, and the fact they're volunteers, I don't think they're that far behind.
For those who don't know, Ubuntu is mostly Debian Unstable with a few packages delayed and a few pushed in earlier. In the experience of most people I know, it's normally slower to move than unstable but not that much better.
The debian unstable->testing->stable cycle is vicious, and on a production system it's actually very sensible - by the time a package is allowed to reach stable, it will have been rigourously tested and actually be properly stable.
Many people don't get Debian. This is a released aimed for servers and stable workstations. If you want or need bleeding edge stuff you can use Debian testing/unstable or Ubuntu as you suggested.