Is CentOS 7 affected by this advisory:
OpenSSL Security Advisory [7th February 2023]
=============================================
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
...
Recent Open SSL security advisory
Re: Recent Open SSL security advisory
https://access.redhat.com/security/cve/cve-2023-0286 seems to say: "yes, but its not critical enough to fix".
Re: Recent Open SSL security advisory
RHEL 7 is in its "Maintenance Support 2" tier until 30th June 2024 and it looks like that particular CVE, though rated "high" by openssl.org, was downgraded to "moderate" by Red hat because the vulnerability only occurs if you modify the way it handles certificate revocation lists (which RHEL's implementation doesn't).
The problem is that there's 8 security vulnerabilities that have been fixed with the latest OpenSSL 3.0.8 and 1.1.1t releases, but there is no "free" fix for any 1.0.2 release (which is what RHEL 7/CentOS 7 uses). If you want a fixed 1.0.2 release from openssl.org, you have to pay them $50,000 a year (I kid you not).
So if Red Hat don't fix it for RHEL 7, we won't see official CentOS 7 fixes either and with no free download of a fixed 1.0.2 release from openssl.org, there will be no "official" way to get a fix for the 8 vulnerabilities, even though RHEL 7/CentOS 7 still have over a year of support left. Yes, in theory you could look at the source diffs for the 1.1.1 fixes and try to apply them to the 1.0.2k CentOS 7 source, but it's all messy and you're not guaranteed that 1.1.1 fixes can be easily backported to 1.0.2 anyway.
The problem is that there's 8 security vulnerabilities that have been fixed with the latest OpenSSL 3.0.8 and 1.1.1t releases, but there is no "free" fix for any 1.0.2 release (which is what RHEL 7/CentOS 7 uses). If you want a fixed 1.0.2 release from openssl.org, you have to pay them $50,000 a year (I kid you not).
So if Red Hat don't fix it for RHEL 7, we won't see official CentOS 7 fixes either and with no free download of a fixed 1.0.2 release from openssl.org, there will be no "official" way to get a fix for the 8 vulnerabilities, even though RHEL 7/CentOS 7 still have over a year of support left. Yes, in theory you could look at the source diffs for the 1.1.1 fixes and try to apply them to the 1.0.2k CentOS 7 source, but it's all messy and you're not guaranteed that 1.1.1 fixes can be easily backported to 1.0.2 anyway.
Re: Recent Open SSL security advisory
Most of the openssl vulnerabilities listed there are not applicable to 1.0.2 anyway - https://www.openssl.org/news/secadv/20230207.txt
CVE-2023-0401 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2023-0217 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2023-0216 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2022-4450 - OpenSSL 1.0.2 is not affected by this issue.
CVE-2023-0215 - affected
CVE-2022-4203 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2022-4304 - affected
CVE-2023-0286 - affected but this is the one that RH say is almost impossible to exploit
So of those 8, 5 are not applicable to 1.0.2 at all.
CVE-2023-0401 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2023-0217 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2023-0216 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2022-4450 - OpenSSL 1.0.2 is not affected by this issue.
CVE-2023-0215 - affected
CVE-2022-4203 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2022-4304 - affected
CVE-2023-0286 - affected but this is the one that RH say is almost impossible to exploit
So of those 8, 5 are not applicable to 1.0.2 at all.
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Re: Recent Open SSL security advisory
CVE-2023-0215 - affected
CVE-2022-4304 - affected
CVE-2023-0286 - affected (today maybe almost impossible to exploit, but tomorrow nobody knows)
In the end 1 exploit is enough to be vulnerable. No chance explaining this to the security department in a company...
And it doesn't seem that these 3 CVE's are fixed thus CentOS (in this regard) is not maintained anymore.
The only solution is to switch to some other distro now (not in 2024). I mean the death was foreseeable it just came a bit earlier than expected.
CVE-2022-4304 - affected
CVE-2023-0286 - affected (today maybe almost impossible to exploit, but tomorrow nobody knows)
In the end 1 exploit is enough to be vulnerable. No chance explaining this to the security department in a company...
And it doesn't seem that these 3 CVE's are fixed thus CentOS (in this regard) is not maintained anymore.
The only solution is to switch to some other distro now (not in 2024). I mean the death was foreseeable it just came a bit earlier than expected.
Re: Recent Open SSL security advisory
It's no CentOS, it's RHEL 7 as well.
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke