Description of problem: Openssl version 1.1.1k is affected by multiple CATI Vulnerabilities. Requesting that this be updated to the latest patched version, 1.1.1v in the epel repository. Version-Release number of selected component (if applicable): 1.1.1k How reproducible: N/A Steps to Reproduce: N/A Actual results: N/A Expected results: N/A Additional info: N/A
Thank you for your report. However, this analysis is unfortunately wrong. The package openssl11 in EPEL 7 tracks the package openssl in RHEL 8 (this effectively means all changes from the openssl package in RHEL 8 are backported to the openssl11 package in EPEL 7) and is currently fully in sync with CentOS Stream 8, see https://git.centos.org/rpms/openssl/commits/c8s for details. I can not see how the openssl package in RHEL 8 would be affected by critical vulnerabilities, because Red Hat is actively backporting security fixes. I guess you are not aware about the Red Hat security backporting practice, thus I recommend to read https://access.redhat.com/security/updates/backporting and https://access.redhat.com/solutions/57665 first. In case you afterwards still think the openssl11 package is affected by security vulnerabilities, please provide a specific list of CVEs and check them beforehand at https://access.redhat.com/security/security-updates/cve regarding the openssl package for RHEL 8.
Thank you for the response, I wasn't aware that the EPEL package was backported from RHEL 8, that answers my question.