[eduVPN-deploy] Critical OpenSSL vulnerability (Ubuntu 22.04, Fedora, EL9)
François Kooman
fkooman at deic.dk
Wed Nov 2 07:50:03 CET 2022
Hi all,
It turned out the vulnerability was not that "CRITICAL" after all. The
OpenSSL project wrote a blog post about it:
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
By now all operating systems that we support (and use OpenSSL 3.x) have
updated OpenSSL packages:
* Ubuntu 22.04
* Fedora
* AlmaLinux 9
* RockyLinux 9
It is still recommend to install the updates on your server (and reboot)
as soon as possible, see below.
Regards,
François
On 26.10.22 10:58, François Kooman via eduVPN-deploy wrote:
> Hi all,
>
> The OpenSSL project will release a new version of OpenSSL next Tuesday
> (2022-11-01) that has a fix for a *CRITICAL* vulnerability.
>
> We do not have more information and can't be sure about the impact on
> eduVPN / Let's Connect!
>
> If you VPN server runs:
>
> * Ubuntu 22.04
> * EL9 (RHEL, AlmaLinux, Rocky Linux, CentOS Stream)
> * Fedora
>
> You MUST make sure you update immediately when the OpenSSL package
> updates become available from your OS vendor (on Tuesday!) and, just to
> be sure, reboot your system:
>
> $ sudo vpn-maint-update-system
> $ sudo reboot
>
> As Debian 11 uses OpenSSL 1.x the vulnerability does not apply there and
> no additional actions are required.
>
> Note: this is NOT a vulnerability in eduVPN/Let's Connect! but in OpenSSL.
>
> For more information, limited as it is:
>
> https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
>
> Regards,
> François
>
> _______________________________________________
> eduVPN-deploy mailing list
> eduVPN-deploy at list.surfnet.nl
> https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy
More information about the eduVPN-deploy
mailing list