OpenSSL 1.0.2 and CentOS

[gonetilnovember]

Could a dev or someone else directly associated with the project please confirm and/or provide details on how CentOS supports OpenSSL 1.0.2?

There is concern about this version being EOL.

But to my understanding CentOS still does security patching as needed.

[TrevorH]

All packages included in the base RHEL distro are supported by Red Hat until the EOL date of the o/s. When they release public packages to fix problems then they also make the source code available and the CentOS team rebuild that and release the packages for CentOS users. The only changes made to RH packages by CentOS are to remove RH branding and logos, no code changes are made. The full "rules" as to what they do and do not patch can be found by reading https://access.redhat.com/support/policy/updates/errata

Since you're asking in the CentOS 7 section about openssl 1.0.2 then the distro EOL date is in mid-2024. You can query the package to see the changelog:

Code: Select all

[root@centos7 ~]# rpm -q --changelog openssl
* Wed Sep 01 2021 Sahana Prasad <sahana@redhat.com> 1.0.2k-22
- fix CVE-2021-23841 openssl: NULL pointer dereference
  in X509_issuer_and_serial_hash()
- fix CVE-2021-23840 openssl: integer overflow in CipherUpdate
- Resolves: rhbz#1932132, rhbz#1932126
...

CentOS Linux 8 goes EOL in about 6 weeks.

[jlehtone]

More on versioning and backporting that Red Hat does: https://www.redhat.com/en/blog/what-bac ... t-products

RHEL 7 (and hence CentOS Linux 7) is based on material that was available in 2013. By hook or crook, Red Hat will keep it alive to 2024 (and bit longer for well-paying customers.)