FS#76140 : [openssl] CVE-2022-2068

FS#76140 - [openssl] CVE-2022-2068

Attached to Project: Arch Linux
Opened by semper victus (rageltman) - Saturday, 08 October 2022, 10:49 GMT
Last edited by Toolybird (Toolybird) - Sunday, 09 October 2022, 03:37 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description: OpenSSL must be at least 1.1.1.o to provide remedy for CVE-2022-2068

Additional info:
* package version(s): 1.1.1.q
* link to upstream bug report: https://nvd.nist.gov/vuln/detail/CVE-2022-2068
* this CVE was published almost 1/4 of a year ago(!!!)

CVE-2022-2068.png (154.7 KiB)

This task depends upon

Closed by Toolybird (Toolybird)
Sunday, 09 October 2022, 03:37 GMT
Reason for closing: Fixed
Additional comments about closing: openssl 1.1.1.p-1

Comment by loqs (loqs) - Saturday, 08 October 2022, 12:13 GMT

This was fixed in [1] which is part of openssl 1.1.1.p and 1.1.1.q.

[1] https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9639817dac8bbbaa64d09efad7464ccc405527c7

Comment by Toolybird (Toolybird) - Sunday, 09 October 2022, 03:36 GMT

Thanks for the confirmation @loqs. Not sure where reporter got that png attachment from but it appears to be confusing. Just to confuse things even more, Arch has a security page where this CVE [1] is still listed as "vulnerable" even though we have upgraded to "openssl-1.1.1.q-1". I don't know who/what/how that page gets updated but it appears to be out of date. The fix is mentioned in the openssl changelog [2] for "1.1.1p" so we are fine AFAICT.

[1] https://security.archlinux.org/AVG-2765
[2] https://www.openssl.org/news/cl111.txt

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#76140 - [openssl] CVE-2022-2068

Details

Loading...