openssl 3.0.3 not found

[diniji]

Hi, I'm updating the openssl from 3.0.0 to 3.0.7 but there was an error. the update is okay. but when I check the openssl version it says that error openssl 3.0.3 not found. I'm using Centos 9 Stream. Thank you.

[TrevorH]

Neither of those are versions supplied by CentOS Stream 9. The current openssl package is http://mirror.stream.centos.org/9-strea ... x86_64.rpm. If you compiled your own then congratulations, you just destroyed your system, time to reinstall.

[jlehtone]

Indeed.

The only way to update anything in CentOS Stream (CS) is dnf up.
That will get you what is available for CS.
If you do use CS, then you must use the version of openssl that is in CS. No ifs or buts about it.

[diniji]

Hi, upon checking the version of my openssl is 3.0.1, the problem is this version has a vulnerability (CVE-2022-3602). to fix this I need to update the openssl to version 3.0.7. I have downloaded the updated version on www.openssl.org and i have installed it properly. I tried to install the updated version on centos 7 and it works. but when installed on centos 9 the error is openssl 3.0.3 not found.

[jlehtone]

the problem is this version has a vulnerability (CVE-2022-3602).
to fix this I need to update the openssl to version 3.0.7.

Wrong.

The question is not what "openssl 3.0.1" has. The question is what "openssl in CentOS Stream 9 has".
Red Hat apparently did base the openssl for CentOS Stream 9 originally to upstream "openssl 3.0.1", but
they do backport changes to their version.

The "fix" to all these security issues is to run the dnf up whenever Red Hat releases new packages for CS9.
If they don't backport a fix to CS9 version of openssl, then they don't deem it necessary.

What are the latest changes in the openssl of CS9?

Code: Select all

$ rpm -q --changelog -p http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/openssl-3.0.1-43.el9.x86_64.rpm | head
warning: http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/openssl-3.0.1-43.el9.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
* Tue Nov 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-43
- CVE-2022-3602: X.509 Email Address Buffer Overflow
- CVE-2022-3786: X.509 Email Address Buffer Overflow
  Resolves: CVE-2022-3602

* Wed Oct 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-42
- CVE-2022-3602: X.509 Email Address Buffer Overflow
  Resolves: CVE-2022-3602 (rhbz#2137723)

* Thu Aug 11 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-41

See? Your "vulnerable 3.0.1" already has a fix for some "CVE-2022-3602".

For more, read https://access.redhat.com/solutions/57665

I tried to install the updated version on centos 7 and it works.

Some programming language standards have term Undefined Behaviour (UB).
Code with UB is totally unpredictable. In worst case it "seems to work". In best case UB does crash every time and soon.
You were probably unlucky as your attempt to wreck your CentOS 7 system did not break it cleanly.

[TrevorH]

I tried to install the updated version on centos 7 and it works

So you broke that one too. And CentOS 7 doesn't ship openssl 3 at all and it is incompatible with older versions so you _really_ broke that one. And older versions are NOT vulnerable to this as the flaw was introduced in openssl 3.0.0.

The correct openssl version on CentOS 7 is 1.0.2k, specifically openssl-1.0.2k-25.el7_9.x86_64

[diniji]

okay. Thank you much.