6 comments

[ 3.1 ms ] story [ 29.6 ms ] thread
RCE and unprivileged access to memory? (to dump keys and the like)

seems fun

This seems to affect only OpenSSL 3.x.x

Most distros have never bothered to upgrade to major version 3 - possibly because it broke ABI backwards compatibility - so despite the critical severity the impact might not be as widespread as it could have been?

OpenSSL 3 is in Ubuntu 22.04 LTS [1]. I expect that alone to be bad enough.

[1] https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes...

It is in fedora and debian testing, but not stable. It made it into redhat 9, but none of the earlier ones or centos.

Source:

https://distrowatch.com/

Oddly, they say it is in openbsd. I thought they moved off openssl years ago. (It might be good to take the other things I said with a grain of salt.)

OpenBSD uses LibreSSL in base, but they provide OpenSSL ports/packages, including for OpenSSL 3: https://openports.se/security/openssl/3.0

I don't know if any other ports use it; they try to make them work with LibreSSL, but maybe a few ports use OpenSSL 3.

No cute name / logo for this one?