Hi,
OpenSSL has released fixes for two vulnerabilities in X.509
certificate verification. On affected releases, connecting to a
malicious HTTPS server can result in a crash or potentially in remote
code execution. The risk of remote code execution is believed to be
mitigated by multiple factors. For more information, see the upstream
[1] and Red Hat [2] advisories and the upstream blog post [3]. In
addition, software written in Go, including Ignition and the Podman
stack, is not affected.
Fedora CoreOS will roll out a fix later today in out-of-cycle `next`
(37.20221021.1.1) and `testing` (36.20221014.2.1) releases. These
will be followed by regular releases tomorrow, including a fixed
`stable` (36.20221014.3.0).
Updates will be posted in the Fedora CoreOS tracker issue [4]. If you
have any questions or concerns, post a comment in the issue or contact
us in #fedora-coreos on Libera.Chat.
--Benjamin Gilbert, for the Fedora CoreOS team
[1]:
https://www.openssl.org/news/secadv/20221101.txt
[2]:
https://access.redhat.com/security/cve/cve-2022-3602
[3]:
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
[4]:
https://github.com/coreos/fedora-coreos-tracker/issues/1329