Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
FEDORA-2026-47fffff581 (openssl-3.5.4-3.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-47fffff581
*** Bug 2447399 has been marked as a duplicate of this bug. ***
FEDORA-2026-d3e275d525 (openssl-3.5.5-2.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2026-d3e275d525
Proposed as a Blocker for 44-final by Fedora user pbrobinson using the blocker tracking app because: Criterion: "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." * CVE-2026-2673 - opencve: high - redhat: low * CVE-2026-28387 - opencve: low - redhat: low * CVE-2026-28388 - opencve: high - redhat: low * CVE-2026-28389 - opencve: high - redhat: low * CVE-2026-28390 - opencve: high - redhat: moderate * CVE-2026-31789 - opencve: medium - redhat: low * CVE-2026-31790 - opencve: high - redhat: moderate Openssl ships on all Fedora artifacts.
This issue is irrelevant for Fedora, we rely on crypto-policies configuring TLS properties, and don't rely on 'DEFAULT' keyword.
I believe Peter was proposing this as a proxy for *all* of the CVEs he listed, Dmitry. Are any of those concerning for Fedora?
I think yes, the remaining should be fixed in F44. Pavol Zacik, could you please confirm?
For blocker status, key question is whether any of them rate 'important' on RH's scale.
FEDORA-2026-d3e275d525 has been pushed to the Fedora 44 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-d3e275d525` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-d3e275d525 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-47fffff581 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-47fffff581` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-47fffff581 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Adam: All are rated either as low or moderate by Red Hat Product Security, so the blocker is not appropriate. Dima: Yes, the build with all CVE patches is in testing and will be shipped after un-freeze.
For the record, we didn't *formally* consider this one at the Go/No-Go blocker review as it was closed so it didn't show up in the list, but I did bring it up informally and it was clearly rejected, with 7 -1 votes.
FEDORA-2026-d3e275d525 (openssl-3.5.5-2.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2026-47fffff581 (openssl-3.5.4-3.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.