This is a placeholder (to be, presumably, marked as a duplicate). From https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html: > Hello, > > The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. > > This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC. > > OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL: > > https://www.openssl.org/policies/general/security-policy.html > > Yours > The OpenSSL Project Team From the link: > CRITICAL Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.
Proposed as a Blocker for 37-final by Fedora user mattdm using the blocker tracking app because: Critical CVE in openssl 3. Details to be announced the day we would release. We should consider whether we should hold for this.
Without knowing the extent of the problem, I'd be hesitant to delay for it. If we had shipped today, we'd be awaiting an errata just the same. The relevant release criterion is: "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." But since we cannot know by the upcoming Go/No-Go whether this issue would impact installation, I think we just have to plan for a quick security bug release. Alternately, if we can get *enough* of a disclosure from upstream that says "This will probably have impact on your installer", without going into detail, I'd probably bow to their wisdom and block based on this criterion. Without that hint, however, I think we have to operate under the assumption that it's fixable as an update post-release.
In today's Go/No-Go meeting, we agreed given the limited public information, we are unable to definitively determine whether this violates"The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update". We therefore are blocking out of an abundance of caution.
FEDORA-2022-0f1d2e0537 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0f1d2e0537
FEDORA-2022-0f1d2e0537 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.