Bug 2232165

Summary: EPEL has openssl version 1.1.1k which is affected by critical CVEs, requesting that this be updated to the latest version 1.1.1v
Product: [Fedora] Fedora EPEL Reporter: eric.robert
Component: openssl11Assignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: epel7CC: redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-15 17:20:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description eric.robert 2023-08-15 16:27:56 UTC 
Description of problem:
Openssl version 1.1.1k is affected by multiple CATI Vulnerabilities. Requesting that this be updated to the latest patched version, 1.1.1v in the epel repository.

Version-Release number of selected component (if applicable):
1.1.1k

How reproducible:
N/A

Steps to Reproduce:
N/A

Actual results:
N/A

Expected results:
N/A

Additional info:
N/A
Comment 1 Robert Scheck 2023-08-15 17:20:10 UTC 
Thank you for your report. However, this analysis is unfortunately wrong.

The package openssl11 in EPEL 7 tracks the package openssl in RHEL 8 (this effectively means all changes from the openssl package in RHEL 8 are backported to the openssl11 package in EPEL 7) and is currently fully in sync with CentOS Stream 8, see https://git.centos.org/rpms/openssl/commits/c8s for details.

I can not see how the openssl package in RHEL 8 would be affected by critical vulnerabilities, because Red Hat is actively backporting security fixes. I guess you are not aware about the Red Hat security backporting practice, thus I recommend to read https://access.redhat.com/security/updates/backporting and https://access.redhat.com/solutions/57665 first.

In case you afterwards still think the openssl11 package is affected by security vulnerabilities, please provide a specific list of CVEs and check them beforehand at https://access.redhat.com/security/security-updates/cve regarding the openssl package for RHEL 8.
Comment 2 eric.robert 2023-08-15 19:58:25 UTC 
Thank you for the response, I wasn't aware that the EPEL package was backported from RHEL 8, that answers my question.