[Pkg-openssl-devel] Patch for critical CVE in OpenSSL

Kurt Roeckx kurt at roeckx.be
Thu Jun 23 18:15:54 BST 2022


On Thu, Jun 23, 2022 at 04:45:23PM +0000, chilly wrote:
> Hello everyone!
> 
> First time messaging this mailing list but at the moment there is a pretty nasty CVE for OpenSSL https://nvd.nist.gov/vuln/detail/CVE-2022-1292. It’s a 9.8/10 command execution and has already been patched (since 1.1.1p for stable). Looking at https://security-tracker.debian.org/tracker/source-package/openssl I see that the patch hasn’t deployed yet and I just wanted to bring that to everyone’s attention. If anyone needs help maintaining the package please let me know!

If you look at the security-tracker page you've linked to, you'll see it
in the resolved issues section. If you go to
https://security-tracker.debian.org/tracker/CVE-2022-1292 you'll see
that it's fixed in all suites.

The 9.8/10 is really just plain wrong, it's not exploitable over the
network.

There is also CVE-2022-2068, which is very simular, and hasn't been
fixed in all suites yet. It's unlikely that this will actually
affect you.


Kurt




More information about the Pkg-openssl-devel mailing list