Urgent Security Update for OpenSSL
Passed on by request as the matter is VERY urgent.
Will the various package managers please attend to it as a matter of most urgency.
The OpenSSL project released a security update earlier today which
contains 8 security fixes in it. One of these vulnerabilities is rated
as High, while the others are rated as Moderate.
The CVE identifiers for these vulnerabilities are CVE-2023-0286,
CVE-2022-0434, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450,
CVE-2023-0216, CVE-2023-0217, and CVE-2023-0401.
These vulnerabilities can be triggered in a variety of different use
cases, such as RSA decryption, X.400 address processing, X.509
certificate verification, usage of OpenSSL API functions such as
BIO_new_NDEF/PEM_read_bio_ex/d2i_PKCS7 functions, verifying DSA public
keys, and verifying PCKS7 data.
Due to the amount of places where OpenSSL can be used for cryptography,
it's imperative that you upgrade your systems to OpenSSL-3.0.8
immediately, or 1.1.1t if you're on LFS 11.1 or older.
The best referance for more details can be found in the LFS ticket for this update -
https://wiki.linuxfromscratch.org/lfs/ticket/5211