Bug 2137661 - upcoming critical openssl vulnerability
Summary: upcoming critical openssl vulnerability
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 37
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Dmitry Belyavskiy
QA Contact: Fedora Extras Quality Assurance
Whiteboard: AcceptedBlocker
Depends On: 2139149 2139151
Blocks: F37FinalBlocker
TreeView+ depends on / blocked
Reported: 2022-10-25 18:29 UTC by Matthew Miller
Modified: 2022-11-02 02:01 UTC (History)
19 users (show)

Fixed In Version: openssl-3.0.5-3.fc37
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-11-02 02:01:17 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-638 0 None None None 2022-10-25 18:31:05 UTC

Description Matthew Miller 2022-10-25 18:29:51 UTC
This is a placeholder (to be, presumably, marked as a duplicate). From https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html:

> Hello,
> The OpenSSL project team would like to announce the forthcoming release 
of OpenSSL version 3.0.7.
> This release will be made available on Tuesday 1st November 2022 between 
1300-1700 UTC.
> OpenSSL 3.0.7 is a security-fix release. The highest severity issue 
fixed in this release is CRITICAL:
> https://www.openssl.org/policies/general/security-policy.html
> Yours
> The OpenSSL Project Team

From the link:

>    CRITICAL Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.

Comment 1 Fedora Blocker Bugs Application 2022-10-25 18:32:18 UTC
Proposed as a Blocker for 37-final by Fedora user mattdm using the blocker tracking app because:

 Critical CVE in openssl 3. Details to be announced the day we would release. We should consider whether we should hold for this.

Comment 2 Stephen Gallagher 2022-10-26 00:01:08 UTC
Without knowing the extent of the problem, I'd be hesitant to delay for it. If we had shipped today, we'd be awaiting an errata just the same. The relevant release criterion is: "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." But since we cannot know by the upcoming Go/No-Go whether this issue would impact installation, I think we just have to plan for a quick security bug release.

Alternately, if we can get *enough* of a disclosure from upstream that says "This will probably have impact on your installer", without going into detail, I'd probably bow to their wisdom and block based on this criterion. Without that hint, however, I think we have to operate under the assumption that it's fixable as an update post-release.

Comment 3 Ben Cotton 2022-10-27 17:49:58 UTC
In today's Go/No-Go meeting, we agreed given the limited public information, we are unable to definitively determine whether this violates"The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update". We therefore are blocking out of an abundance of caution.

Comment 4 Fedora Update System 2022-11-01 18:20:11 UTC
FEDORA-2022-0f1d2e0537 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0f1d2e0537

Comment 5 Fedora Update System 2022-11-02 02:01:17 UTC
FEDORA-2022-0f1d2e0537 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.