OpenSSL 3.0.7, released today, fixes two critical security issues that have caused panic since last week.
OpenSSL 3.0.7 release
The highly anticipated OpenSSL 3.0.7 is now released, fixing two high-severity CVEs. All the major Linux distributions across desktops and, most importantly, server admins have been waiting for this fix since it was reported last week by the OpenSSL team. Due to the criticality of this package, some distro releases got delayed (such as Fedora 37), and probably some patching activities across the industry.
Both the high severity fixes are due to buffer overrun, which impacts the entire OpenSSL 3.0.0 series (i.e. from 3.0.0 to 3.0.6). Alarming, it may sound, but these two vulnerabilities have been out in the wild for almost a year since the 3.0.0 release in 2021.
The first CVE-2022-3786 triggers when a malicious email address with arbitrary payload with character “.” (decimal 46). The second vulnerability, CVE-2022-3602, also deals with another payload with the same email address in name constraints, checking for X.509 certificates.
As of publishing this, major distros (Debian, Ubuntu, Fedora, RedHat) are yet to update their OpenSSL package with version 3.0.7.
So, as soon as it arrives, make sure you update your desktops and servers immediately. This is critical for those who deal with TLS-based authentication over remote connections to various servers.
Keep a watch on the below pages for updated packages for major Linux distributions.
Arch Linux folks are superfast, it seems. It’s already in the staging repo within two hours of the release!