Bug 2137661

Summary: upcoming critical openssl vulnerability
Product: [Fedora] Fedora Reporter: Matthew Miller <mattdm>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 37CC: bcotton, bgilbert, crypto-team, dbelyavs, dustymabe, edgar.hoch, goeran, jan.public, jlebon, ldelouw, mjg, mspacek, mturk, robatino, sahana, sgallagh, support.web-tv, tm, travier
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: openssl-3.0.5-3.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-02 02:01:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2139149, 2139151    
Bug Blocks: 2009539    

Description Matthew Miller 2022-10-25 18:29:51 UTC
This is a placeholder (to be, presumably, marked as a duplicate). From https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html:

> Hello,
> The OpenSSL project team would like to announce the forthcoming release 
of OpenSSL version 3.0.7.
> This release will be made available on Tuesday 1st November 2022 between 
1300-1700 UTC.
> OpenSSL 3.0.7 is a security-fix release. The highest severity issue 
fixed in this release is CRITICAL:
> https://www.openssl.org/policies/general/security-policy.html
> Yours
> The OpenSSL Project Team

From the link:

>    CRITICAL Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.

Comment 1 Fedora Blocker Bugs Application 2022-10-25 18:32:18 UTC
Proposed as a Blocker for 37-final by Fedora user mattdm using the blocker tracking app because:

 Critical CVE in openssl 3. Details to be announced the day we would release. We should consider whether we should hold for this.

Comment 2 Stephen Gallagher 2022-10-26 00:01:08 UTC
Without knowing the extent of the problem, I'd be hesitant to delay for it. If we had shipped today, we'd be awaiting an errata just the same. The relevant release criterion is: "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." But since we cannot know by the upcoming Go/No-Go whether this issue would impact installation, I think we just have to plan for a quick security bug release.

Alternately, if we can get *enough* of a disclosure from upstream that says "This will probably have impact on your installer", without going into detail, I'd probably bow to their wisdom and block based on this criterion. Without that hint, however, I think we have to operate under the assumption that it's fixable as an update post-release.

Comment 3 Ben Cotton 2022-10-27 17:49:58 UTC
In today's Go/No-Go meeting, we agreed given the limited public information, we are unable to definitively determine whether this violates"The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update". We therefore are blocking out of an abundance of caution.

Comment 4 Fedora Update System 2022-11-01 18:20:11 UTC
FEDORA-2022-0f1d2e0537 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0f1d2e0537

Comment 5 Fedora Update System 2022-11-02 02:01:17 UTC
FEDORA-2022-0f1d2e0537 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.