Bug 2064453

Summary: Update to openssl 3.0.2
Product: [Fedora] Fedora Reporter: Peter Robinson <pbrobinson>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 36CC: awilliam, bcotton, bgilbert, crypto-team, dbelyavs, fedoraproject, mhroncok, mspacek, mturk, robatino, sahana, smokris, tm
Target Milestone: ---Keywords: Triaged
Target Release: ---Flags: mhroncok: fedora_prioritized_bug?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedFreezeException AcceptedBlocker
Fixed In Version: openssl-3.0.2-1.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-24 00:56:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1953784, 1953785    

Description Peter Robinson 2022-03-15 21:29:59 UTC 
It seems since the openssl 3 GA release back in September there's not
been a single successful openssl build[1], and a number of bugs [2],
and even more CVEs [3][4]. Why aren't these being dealt with in a semi
reasonable fashion? The last actual successful build is now over 6
months ago.

The latest on is remotely exploitable

[1] https://koji.fedoraproject.org/koji/packageinfo?packageID=109
[2] https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&component=openssl&list_id=12493381&product=Fedora&product=Fedora%20EPEL
[3] https://www.openssl.org/news/vulnerabilities-3.0.html
[4] https://lwn.net/Articles/887970/
Comment 1 Fedora Blocker Bugs Application 2022-03-15 21:31:13 UTC 
Proposed as a Blocker for 36-beta by Fedora user pbrobinson using the blocker tracking app because:

 Remotely exploitable CVE that affects all variants of Fedora due to openssl
Comment 2 Dmitry Belyavskiy 2022-03-16 13:05:25 UTC 
I confirm that it should be considered as a blocker.
Comment 3 Adam Williamson 2022-03-16 15:56:48 UTC 
Dmitry: will you be able to get an F36 build done today? I'm trying to pull together a Beta compose and it'd be nice to have that in it.
Comment 4 Dmitry Belyavskiy 2022-03-16 17:30:04 UTC 
Dear Adam,

Unfortunately, no. will do my best to finalize it till Friday, though not sure yet.
Comment 5 Adam Williamson 2022-03-16 17:59:42 UTC 
+4 for Beta FE and Final blocker in https://pagure.io/fedora-qa/blocker-review/issue/674 , waiting for Beta blocker votes to clean up to finalize that metadata.
Comment 6 Adam Williamson 2022-03-17 00:54:55 UTC 
BetaBlocker vote is now at -3 (+3 / -6) so rejecting it; marking as accepted Beta FE, accepted Final blocker.
Comment 8 Fedora Update System 2022-03-18 10:55:43 UTC 
FEDORA-2022-30744868ee has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-30744868ee
Comment 9 Fedora Update System 2022-03-18 15:53:45 UTC 
FEDORA-2022-30744868ee has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-30744868ee`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-30744868ee

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2022-03-24 00:56:42 UTC 
FEDORA-2022-30744868ee has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.