OpenSSL has issued an advisory today (April 21): https://www.openssl.org/news/secadv/20200421.txt The issue is fixed upstream in 1.1.1g. 1.0.2 and 1.1.0 are not affect, thus neither is Mageia 7.
Status comment: (none) => Fixed upstream in 1.1.1g
With regards to 1.0.2 and 1.1.0 are not affect, thus neither is Mageia 7. That may or may not be true as OpenSSL 1.0.2 and 1.1.0 are no longer supported by the OpenSSL project. From https://www.openssl.org/policies/releasestrat.html : Version 1.0.2 is no longer supported. Extended support for 1.0.2 to gain access to security fixes for that version is available. Versions 1.1.0, 1.0.1, 1.0.0 and 0.9.8 are no longer supported.
CC: (none) => rihoward1
The advisory explicitly stated that older branches are not affected.
David my apologies. I was super busy and only read the first line of the advisory. I should of read more. I guess I should ask the question in the email listif OpenSSL 1.1.1g should be back ported to Mageia 7
Ideally it would be (I filed Bug 24433 for that a long time ago), but it's not as simple as backporting the newer openssl itself, but we would also have to backport updates and/or patches for all of the packages using it, to be compatible with the API changes, and that hasn't even completely happened in Cauldron yet.
Yes that sounds like a reasonable limitation due to shortage of packagers.
Hi, This is done: openssl-1.1.1g-1.mga8. Best regards, Nico.
CC: (none) => nicolas.salguero
Thanks!
Resolution: (none) => FIXEDStatus: NEW => RESOLVED