Hi, OpenSSL has released fixes for two vulnerabilities in X.509 certificate verification. On affected releases, connecting to a malicious HTTPS server can result in a crash or potentially in remote code execution. The risk of remote code execution is believed to be mitigated by multiple factors. For more information, see the upstream [1] and Red Hat [2] advisories and the upstream blog post [3]. In addition, software written in Go, including Ignition and the Podman stack, is not affected. Fedora CoreOS will roll out a fix later today in out-of-cycle `next` (37.20221021.1.1) and `testing` (36.20221014.2.1) releases. These will be followed by regular releases tomorrow, including a fixed `stable` (36.20221014.3.0). Updates will be posted in the Fedora CoreOS tracker issue [4]. If you have any questions or concerns, post a comment in the issue or contact us in #fedora-coreos on Libera.Chat. --Benjamin Gilbert, for the Fedora CoreOS team [1]: https://www.openssl.org/news/secadv/20221101.txt [2]: https://access.redhat.com/security/cve/cve-2022-3602 [3]: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ [4]: https://github.com/coreos/fedora-coreos-tracker/issues/1329