1.1.1 downloads spike
Dmitry Misharov Fri 30 Jan 2026 10:40AMPublicSeen by 113I find it interesting that recent security releases caused download spike of end of life 1.1.1. Do people try to apply security patches by themself?
Peter GutmannFri 30 Jan 2026 11:07AM
The following is purely speculation but it would tie in with a discussion I recently had with some networking guys about Internet security appliances running ancient out-of-support versions of FreeRADIUS with OpenSSL (because it wouldn't be a proper Internet security appliance if it wasn't riddled with years-old unpatched vulnerabilities). What vendors were doing was customising, pronounced "hacking up", the code to do whatever vendor-specific things they needed and then not being enthusiastic over having to re-hack-up the latest release to match. There could be something similar happening here.
Randall BeckerFri 30 Jan 2026 10:26PM
It is possible that the release/Security notes that came out for the patch series, which specifically said 1.1.1 was not vulnerable, caused some people to fallback out of fear instead of staying on 3.x.
Paul DaleFri 30 Jan 2026 10:56PM
Why would a distro re-download the EOL version? They'd either already have it or their patched version of it.
My guess would be more along the lines of "oh, there's a bug in OpenSSL, time to grab the latest" without realise that it's EoL and is still vulnerable.
John Haxby ·Fri 30 Jan 2026 10:50AM
I think they probably do. Distros related to OpenELA (Oracle, Rocky, Alma, etc) and RHEL8 would account for a handful of downloads, but otherwise I suspect that either people don't want to wait for an "official" patch for their distro or are doing their own maintenance. (And for the latter, well, I worry.)