| Summary: | openssl versions in Mageia 7 are EOL | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | RPM Packages | Assignee: | Nicolas Lécureuil <mageia> |
| Status: | RESOLVED OLD | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | bjarne.thomsen, marja11 |
| Version: | 7 | ||
| Target Milestone: | Mageia 8 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | openssl-1.1.0j-1.mga7.src.rpm, compat-openssl10-1.0.2r-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-02-27 03:58:56 CET
David Walser
2019-02-27 03:59:06 CET
Priority:
Normal =>
release_blocker Assigning to neoclust, because he is the registered maintainer of compat-openssl10 and there's no registered maintainer of openssl CC:
(none) =>
marja11 Source rpm list for packages still using oldest 1.0.x: afbackup botan c-client freepops freeswitch ghpsdr3-alex harbour ice ipsec-tools ircd-hybrid jboss-web-native libmsn libofetion libqxt mongo-tools netty-tcnative pam_ssh ptlib sslscan sslsniff ucommon ufdbguard vdr-plugin-sc w3c-libwww wvstreams There might be more pkgs BR'ing openssl 1.0.x, but mentioned pkgs uses the libs from it. Python 2.7.16 is compatible with OpenSSL 1.1.x: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/ Just a reminder that nothing has been done with this yet. OpenSSL 1.1.0 will be EOL in a few hours, and 1.0.2 will be in a few months... Whiteboard:
(none) =>
MGA7TOO Is it possible to have OpenSSL 1.1.1 just for apache, along with 1.1.0 and 1.0.2? It is important with support considering (31 October 2019): Elliptic curve implementations vulnerable to Minerva timing attack CC:
(none) =>
bjarne.thomsen That would be highly undesirable. It's bad enough we already have to support two versions. We need to get rid of at least one of the current ones. I agree. A Cloudflare Blog explains why TLS 1.3 has been a long time on the way because the implementation in OpenSSL 1.1.1 had to be compatible with OpenSSL 1.1.0: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ OpenSSL: All users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as possible. The transition 1.1.0 -> 1.1.1 should accordingly be easy, unless there are some hidden problems with e.g. the gcc compiler. OpenSSL 1.0.x is another matter, as the long list above shows. Hi, This is release_blocker for a reason. Making Mageia even better than ever is best direction. In order to do right thing, this bug should be examined and fixed as soon as possible. Packagers, please change the status to "Assigned" when you are working on this. We will make a decision on the relevance of the release_blocker tag on 1st October 2020 QA meeting.
David Walser
2020-09-19 18:58:23 CEST
Target Milestone:
Mageia 7 =>
Mageia 8 We will remain vulnerable to CVE-2020-1968 as long as we don't fix this: https://www.openssl.org/news/secadv/20200909.txt In Cauldron / Mageia 8 only compat-openssl10 is vulnerable. It needs to go. Summary:
openssl versions in Mageia 7 will be EOL in less than a year =>
openssl versions in Mageia 7 are EOL compat-openssl10 dropped in Cauldron. Whiteboard:
MGA7TOO =>
(none) Mageia 7 is EOL. Resolution:
(none) =>
OLD |