Bug 2137661
Summary: | upcoming critical openssl vulnerability | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matthew Miller <mattdm> |
Component: | openssl | Assignee: | Dmitry Belyavskiy <dbelyavs> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 37 | CC: | bcotton, bgilbert, crypto-team, dbelyavs, dustymabe, edgar.hoch, goeran, jan.public, jlebon, ldelouw, mjg, mspacek, mturk, robatino, sahana, sgallagh, support.web-tv, tm, travier |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedBlocker | ||
Fixed In Version: | openssl-3.0.5-3.fc37 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-11-02 02:01:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2139149, 2139151 | ||
Bug Blocks: | 2009539 |
Description
Matthew Miller
2022-10-25 18:29:51 UTC
Proposed as a Blocker for 37-final by Fedora user mattdm using the blocker tracking app because: Critical CVE in openssl 3. Details to be announced the day we would release. We should consider whether we should hold for this. Without knowing the extent of the problem, I'd be hesitant to delay for it. If we had shipped today, we'd be awaiting an errata just the same. The relevant release criterion is: "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." But since we cannot know by the upcoming Go/No-Go whether this issue would impact installation, I think we just have to plan for a quick security bug release. Alternately, if we can get *enough* of a disclosure from upstream that says "This will probably have impact on your installer", without going into detail, I'd probably bow to their wisdom and block based on this criterion. Without that hint, however, I think we have to operate under the assumption that it's fixable as an update post-release. In today's Go/No-Go meeting, we agreed given the limited public information, we are unable to definitively determine whether this violates"The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update". We therefore are blocking out of an abundance of caution. FEDORA-2022-0f1d2e0537 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0f1d2e0537 FEDORA-2022-0f1d2e0537 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. |