Upstream has issued an advisory today (February 26):
It contains this note:
OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.
Both OpenSSL versions in Cauldron will be EOL this year. We should drop the compat-openssl10 package and migrate the openssl package to 1.1.1.
Assigning to neoclust, because he is the registered maintainer of compat-openssl10 and there's no registered maintainer of openssl
Source rpm list for packages still using oldest 1.0.x:
There might be more pkgs BR'ing openssl 1.0.x, but mentioned pkgs uses the libs from it.
Python 2.7.16 is compatible with OpenSSL 1.1.x:
Just a reminder that nothing has been done with this yet.
OpenSSL 1.1.0 will be EOL in a few hours, and 1.0.2 will be in a few months...
Is it possible to have OpenSSL 1.1.1 just for apache, along with 1.1.0 and 1.0.2?
It is important with support considering (31 October 2019):
Elliptic curve implementations vulnerable to Minerva timing attack
That would be highly undesirable. It's bad enough we already have to support two versions. We need to get rid of at least one of the current ones.
I agree. A Cloudflare Blog explains why TLS 1.3 has been a long time on the way because the implementation in OpenSSL 1.1.1 had to be compatible with OpenSSL 1.1.0:
OpenSSL: All users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as possible.
The transition 1.1.0 -> 1.1.1 should accordingly be easy, unless there are some hidden problems with e.g. the gcc compiler. OpenSSL 1.0.x is another matter, as the long list above shows.
This is release_blocker for a reason.
Making Mageia even better than ever is best direction.
In order to do right thing, this bug should be examined and fixed as soon as possible.
Packagers, please change the status to "Assigned" when you are working on this.
We will make a decision on the relevance of the release_blocker tag on 1st October 2020 QA meeting.
Mageia 7 =>
We will remain vulnerable to CVE-2020-1968 as long as we don't fix this:
In Cauldron / Mageia 8 only compat-openssl10 is vulnerable. It needs to go.
openssl versions in Mageia 7 will be EOL in less than a year =>
openssl versions in Mageia 7 are EOL
compat-openssl10 dropped in Cauldron.