Almalinux 8.5 - update openssl 3

Support
1

Hello,

How can i update openssl 1.1.1 to latest 3.0.7 version on Almalinux 8.5?

Alma Linux 8.5 is not affected by the cve-2022-3602 and cve-2022-3786 vulnerabilities because it uses openssl 1.1.1.
However, since openssl 1.1.1 will be unsupported on September 11, 2023, I would like to upgrade the server side to version 3.0.7.

Kind Regards,
gog

2

dnf up

That is, install whatever updates become available.

Red Hat maintains the packages that are in RHEL. RHEL 8 lives to 2029. It will have a maintained openssl all the way.

Btw, Alma 8 is now 8.7. No longer 8.6 and definitely not 8.5 any more.

1 Like
3

Hello Jlehtone,

I dnf uped, after that, I installed the following two EPEL repolist.
After that, I typed sudo yum install openssl3, then, 3.0.1-43.el8.1 was installed.
Is this version is fixed cve-2022-3602 and cve-2022-3786 vulnerabilities?
I did dnf up without adding EPEL, but openssl3 was not installed.

Please let me know if you know of any page where I can check if 3.0.1-43.el8.1 is the version that addresses the cve-2022-3602 and cve-2022-3786 vulnerabilities.

epel Extra Packages for Enterprise Linux 8 - x86_64
epel-next Extra Packages for Enterprise Linux 8 - Next - x86_64

[root@ip ~]# sudo yum install openssl3
Last metadata expiration check: 0:10:59 ago on Fri 11 Nov 2022 04:45:37 PM JST.
Dependencies resolved.
================================================================================
** Package Architecture Version Repository Size**
================================================================================
Installing:
** openssl3 x86_64 3.0.1-43.el8.1 epel 1.1 M**
Installing dependencies:
** openssl3-libs x86_64 3.0.1-43.el8.1 epel 2.4 M**

Kind Regards,
gog

4

Lets say again:

  • Alma 8 has same packages as RHEL 8
  • RHEL 8 has some version of openssl. The openssl is a core package that several services depend on. They are built to use the openssl that RHEL 8 has
  • Red Hat does support the version of openssl that is in RHEL 8. They do backport fixes and features. See https://access.redhat.com/solutions/57665
  • RHEL 8 (and hence Alma 8) will have supported version of openssl its entire life-cycle
  • EPEL is extra packages – volunteer additions; no SLA like RHEL content

The “server” will not automatically use openssl3; you would have to replace all applications/services with versions that do. It would be easier to switch to distro that does have openssl3 natively. For example, AlmaLinux 9.

That said, run:

rpm -q --changelog openssl3 | less

That is where CVEs are usually mentioned.

2 Likes
5

Thank you very much for your kind response.

I have confirmed that openssl3-3.0.1-43.el8.1.x86_64.rpm has the fix for this vulnerability, although I downloaded it from EPEL.

  • CVE-2022-3602: X.509 Email Address Buffer Overflow
  • CVE-2022-3786: X.509 Email Address Buffer Overflow
    Resolves: CVE-2022-3602

I am currently using OpenVPN Access Server on Alma Linux, but since OpenVPN Access Server is only supported on RHEL 7 and RHEL 8, and since it seemed difficult to upgrade the entire OS from Alma Linux 8.6 to Alma Linux 9 I was looking for a fix for the openss3 vulnerability that works on AlmaLinux 8.

Kind Regards,
gog