On Tue, Mar 03, 2020 at 07:02:40PM +0530, Kaushal Shriyan wrote:
I have gone through the article https://access.redhat.com/security/updates/backporting/. I am having a follow up question. Do I need to wait for the OpenSSL version 1.1.1d to be available on CentOS 7.x once it is tested in the upstream RHEL 7.x version? Please correct me if I misunderstood anything. I look forward to hearing from you and thanks in advance.
To quote the article:
We use the term backporting to describe the action of taking a fix for a security flaw out of the most recent version of an upstream software package and applying that fix to an older version of the package we distribute.
Basically, you'll likely never see version 1.1.1d in CentOS 7. Any software fixes will be backported to the version in CentOS 7, 1.0.2k.
The release will be incremented as new updates in CentOS come out, but it'll continue to be 1.0.2k until Red Hat decides to do a rebase. That doesn't happen until there are features that are needed that are too difficult to backport. There have been OpenSSL rebases mid-release (in c5 and c6 I think), and I remember it caused a lot of problems, so I don't look forward to it.
I think you need to back up and ask yourself *WHY* you are demanding the latest release of OpenSSL. Do you need features that are not available in the OpenSSL in CentOS 7? Is there an auditor saying you must have some version to be secure?
If you must have versions of OpenSSL not in CentOS7, I suggest looking at packaging your application that uses SSL in a docker container that has that version available. Perhaps CentOS 8 will work for you.