OpenSSL 3.0.7 update to fix Critical CVE

tphz · 26 October 2022 16:05

For information:

OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC. Does not affect versions before 3.0.

https://twitter.com/iamamoose/status/1584908434855628800

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

Regards

bonnietwin · 26 October 2022 18:42

While it is defined as a Critical CVE the Severity is defined as Low.

This was fixed in version 3.0.6 but this version was withdrawn due to regression problems. The regression was not thought to have security implications. 3.0.7 has the CVE fix now without the regression and will be released on 1st Nov.

IPFire currently is using the 1.1.1 series of OpenSSL. 1.1.1r (bug fix release) had a patch created to update IPFire but the same regression problem affected this version as with 3.0.6 so the patch has not been deployed.
1.1.1s (bug fix release) without the regression problem will be released on 1st Nov and a patch update for this version will be created for IPFire.

The OpenSSL-3 series is being worked on for IPFire and will replace the 1.1.1 series somewhere in the future upcoming Core Updates.

So IPFire is not currently affected by this CVE issue as it is still running on the 1.1.1 series of OpenSSL and will stay like that in the immediate future…

ms · 1 November 2022 15:58

I just want to highlight this again: IPFire is NOT affected by these vulnerabilities.

We have a branch with IPFire being ported to OpenSSL 3, but because of the recent vulnerabilities in this and previous releases this year, we won’t roll out the upgrade just yet.

pmueller · 7 November 2022 12:15