Upstream has issued an advisory today (February 26): https://www.openssl.org/news/secadv/20190226.txt It contains this note: OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1. Both OpenSSL versions in Cauldron will be EOL this year. We should drop the compat-openssl10 package and migrate the openssl package to 1.1.1.
Priority: Normal => release_blockerTarget Milestone: --- => Mageia 7
Assigning to neoclust, because he is the registered maintainer of compat-openssl10 and there's no registered maintainer of openssl
CC: (none) => marja11Assignee: bugsquad => mageia
Source rpm list for packages still using oldest 1.0.x: afbackup botan c-client freepops freeswitch ghpsdr3-alex harbour ice ipsec-tools ircd-hybrid jboss-web-native libmsn libofetion libqxt mongo-tools netty-tcnative pam_ssh ptlib sslscan sslsniff ucommon ufdbguard vdr-plugin-sc w3c-libwww wvstreams There might be more pkgs BR'ing openssl 1.0.x, but mentioned pkgs uses the libs from it.
Python 2.7.16 is compatible with OpenSSL 1.1.x: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/
Just a reminder that nothing has been done with this yet.
OpenSSL 1.1.0 will be EOL in a few hours, and 1.0.2 will be in a few months...
Whiteboard: (none) => MGA7TOO
Is it possible to have OpenSSL 1.1.1 just for apache, along with 1.1.0 and 1.0.2? It is important with support considering (31 October 2019): Elliptic curve implementations vulnerable to Minerva timing attack
CC: (none) => bjarne.thomsen
https://www.feistyduck.com/bulletproof-tls-newsletter/issue_58_elliptic_curve_implementations_vulnerable_to_minerva_timing_attack
That would be highly undesirable. It's bad enough we already have to support two versions. We need to get rid of at least one of the current ones.
I agree. A Cloudflare Blog explains why TLS 1.3 has been a long time on the way because the implementation in OpenSSL 1.1.1 had to be compatible with OpenSSL 1.1.0: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ OpenSSL: All users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as possible. The transition 1.1.0 -> 1.1.1 should accordingly be easy, unless there are some hidden problems with e.g. the gcc compiler. OpenSSL 1.0.x is another matter, as the long list above shows.
Hi, This is release_blocker for a reason. Making Mageia even better than ever is best direction. In order to do right thing, this bug should be examined and fixed as soon as possible. Packagers, please change the status to "Assigned" when you are working on this. We will make a decision on the relevance of the release_blocker tag on 1st October 2020 QA meeting.
Target Milestone: Mageia 7 => Mageia 8
We will remain vulnerable to CVE-2020-1968 as long as we don't fix this: https://www.openssl.org/news/secadv/20200909.txt In Cauldron / Mageia 8 only compat-openssl10 is vulnerable. It needs to go.
Summary: openssl versions in Mageia 7 will be EOL in less than a year => openssl versions in Mageia 7 are EOL
compat-openssl10 dropped in Cauldron.
Whiteboard: MGA7TOO => (none)Priority: release_blocker => NormalVersion: Cauldron => 7
Mageia 7 is EOL.
Resolution: (none) => OLDStatus: NEW => RESOLVED