https://isc.sans.edu/forums/diary/U...SL+Vulnerability+What+will+be+Affected/29192/
Upcoming Critical OpenSSL Vulnerability: What will be Affected?
Some here may still remember Heartbleed. Heartbleed was a critical OpenSSL vulnerability that surprised many organizations, and patching the issue was a major undertaking. Heartbleed caused OpenSSL and other open source projects to rethink how they address security issues and how they communicate with their users. OpenSSL started to pre-announce any security updates about a week ahead of time.
This week, OpenSSL announced that they will release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability [1]. The OpenSSL definition of critical:
The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x. For most systems, you will be able to use the openssl command line utility:
macOS: macOS usually comes with libressl, not openssl, installed. But openssl may be installed later by other software like Homebrew and MacPorts.
[thanks to all the contributors to this table. Let me know if you have additional entries]
[1] https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Upcoming Critical OpenSSL Vulnerability: What will be Affected?
Some here may still remember Heartbleed. Heartbleed was a critical OpenSSL vulnerability that surprised many organizations, and patching the issue was a major undertaking. Heartbleed caused OpenSSL and other open source projects to rethink how they address security issues and how they communicate with their users. OpenSSL started to pre-announce any security updates about a week ahead of time.
This week, OpenSSL announced that they will release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability [1]. The OpenSSL definition of critical:
In short: This is something you will need to worry about!
The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x. For most systems, you will be able to use the openssl command line utility:
Here is a quick list of OpenSSL versions for different operating systems:
macOS: macOS usually comes with libressl, not openssl, installed. But openssl may be installed later by other software like Homebrew and MacPorts.
[thanks to all the contributors to this table. Let me know if you have additional entries]
| Linux Distro | OpenSSL Version |
|---|---|
| CentOS 8 | (1.1.1) |
| CentOS Stream 9 | (3.0.1) |
| Debian 11 (bullseye) | (1.1.1) |
| Eneavour 2022.09.10 | (1.1.1) |
| Fedora 34 | (1.1.1) |
| Fedora 35 | (1.1.1) |
| Fedora 36 | (3.0.5) |
| Fedora Rawhide | (3.0.5) |
| Kali 2022.3 | (3.0.5) |
| Linux Mint 21 Vanessa | (3.0.2) |
| Mageia 7 | (1.1.1) |
| Mageia 8 | (1.1.1) |
| Mageia Cauldron | (3.0.5) |
| OpenMandriva 4.3 | (3.0.3) |
| OpenMandriva Cooker | (3.0.6) |
| OpenSuSE Leap 15.2 | (1.1.1) |
| OpenSuSE Leap 15.3 | (1.1.1) |
| OpenSuSE Leap 15.4 | (1.1.1) |
| Ubuntu 20.04 | (1.1.1) |
| Ubuntu 22.04 | (3.0.2) |
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
