CVE-2022-0778 - OpenSSL

Support for security such as Firewalls and securing linux
Post Reply
mikeant135
Posts: 2
Joined: 2022/03/30 18:28:30

CVE-2022-0778 - OpenSSL

Post by mikeant135 » 2022/03/30 18:33:39

Hello,

We are being flagged for the following CVE in our system: CVE-2022-0778, relating to openssl and related rpms.
I see there was an update on the 28th, but this is still being flagged for not being the el8_5 fix.
Is there a plan to release a new set of openssl and associated libraries/rpms soon?
This is for CentOS 8 Stream

Thank you!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2022-0778 - OpenSSL

Post by TrevorH » 2022/03/30 19:53:05

The fix for RHEL 8 and derivatives including Stream 8 is in openssl-1.1.1k-6 which was released yesterday or the day before. If you yum update you see should see that update and running rpm -q --changelog openssl | less after the update should show the CVE number as being fixed in the top 3 lines.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mikeant135
Posts: 2
Joined: 2022/03/30 18:28:30

Re: CVE-2022-0778 - OpenSSL

Post by mikeant135 » 2022/04/01 18:12:03

Hi, Thank you for the quick response.
The reason for my confusion is because on the RedHat Site, they mention it is fixed in openssl-1.1.1k-6.el8_5 vs 1.1.1.k-6.el8 which is coming from CentOS 8 Stream repo.
This is tripping up a lot of different security scanning services, such as Twistlock and Aqua Sec scanning services.
If possible, could another release be done to match the version as specified from RedHat?

This is the article I refer to from RedHat: https://access.redhat.com/errata/RHSA-2022:1065

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2022-0778 - OpenSSL

Post by TrevorH » 2022/04/01 18:19:15

Report it as a bug in Stream 8 on bugzilla.redhat.com - at least I think that's the right place. For information on filing bugs against CentOS Linux or CentOS Stream please see https://wiki.centos.org/ReportBugs
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply