Forthcoming OpenSSL Releases – Critical Issue in OpenSSL 3 (mta.openssl.org) 61 points by TimWolla 3y ago ↗ HN
[–] yuvadam 3y ago ↗ This seems to affect only OpenSSL 3.x.xMost distros have never bothered to upgrade to major version 3 - possibly because it broke ABI backwards compatibility - so despite the critical severity the impact might not be as widespread as it could have been? [–] TimWolla 3y ago ↗ OpenSSL 3 is in Ubuntu 22.04 LTS [1]. I expect that alone to be bad enough.[1] https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes... [–] hedora 3y ago ↗ It is in fedora and debian testing, but not stable. It made it into redhat 9, but none of the earlier ones or centos.Source:https://distrowatch.com/Oddly, they say it is in openbsd. I thought they moved off openssl years ago. (It might be good to take the other things I said with a grain of salt.) [–] Beltalowda 3y ago ↗ OpenBSD uses LibreSSL in base, but they provide OpenSSL ports/packages, including for OpenSSL 3: https://openports.se/security/openssl/3.0I don't know if any other ports use it; they try to make them work with LibreSSL, but maybe a few ports use OpenSSL 3.
[–] TimWolla 3y ago ↗ OpenSSL 3 is in Ubuntu 22.04 LTS [1]. I expect that alone to be bad enough.[1] https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes... [–] hedora 3y ago ↗ It is in fedora and debian testing, but not stable. It made it into redhat 9, but none of the earlier ones or centos.Source:https://distrowatch.com/Oddly, they say it is in openbsd. I thought they moved off openssl years ago. (It might be good to take the other things I said with a grain of salt.) [–] Beltalowda 3y ago ↗ OpenBSD uses LibreSSL in base, but they provide OpenSSL ports/packages, including for OpenSSL 3: https://openports.se/security/openssl/3.0I don't know if any other ports use it; they try to make them work with LibreSSL, but maybe a few ports use OpenSSL 3.
[–] hedora 3y ago ↗ It is in fedora and debian testing, but not stable. It made it into redhat 9, but none of the earlier ones or centos.Source:https://distrowatch.com/Oddly, they say it is in openbsd. I thought they moved off openssl years ago. (It might be good to take the other things I said with a grain of salt.) [–] Beltalowda 3y ago ↗ OpenBSD uses LibreSSL in base, but they provide OpenSSL ports/packages, including for OpenSSL 3: https://openports.se/security/openssl/3.0I don't know if any other ports use it; they try to make them work with LibreSSL, but maybe a few ports use OpenSSL 3.
[–] Beltalowda 3y ago ↗ OpenBSD uses LibreSSL in base, but they provide OpenSSL ports/packages, including for OpenSSL 3: https://openports.se/security/openssl/3.0I don't know if any other ports use it; they try to make them work with LibreSSL, but maybe a few ports use OpenSSL 3.
6 comments
[ 3.1 ms ] story [ 29.6 ms ] threadseems fun
Most distros have never bothered to upgrade to major version 3 - possibly because it broke ABI backwards compatibility - so despite the critical severity the impact might not be as widespread as it could have been?
[1] https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes...
Source:
https://distrowatch.com/
Oddly, they say it is in openbsd. I thought they moved off openssl years ago. (It might be good to take the other things I said with a grain of salt.)
I don't know if any other ports use it; they try to make them work with LibreSSL, but maybe a few ports use OpenSSL 3.