On Tue, Mar 3, 2020 at 6:31 PM Leon Fauster via CentOS <centos at centos.org> wrote:> Am 03.03.20 um 11:31 schrieb Kaushal Shriyan: > > Hi, > > > > I am running CentOS Linux release 7.7.1908 (Core) with the below > mentioned > > OpenSSL version. As per > https://www.openssl.org/policies/releasestrat.html. > > Version 1.0.2 is no longer supported. > > > > OpenSSL Version > >> #openssl version > >> OpenSSL 1.0.2k-fips 26 Jan 2017 > >> # > > > > > > Are there any plans for the latest stable supported version of OpenSSL to > > be made available in the CentOS 7.x version? I look forward to hearing > from > > you and thanks in advance. > > > > Please consider this article: > > https://access.redhat.com/security/updates/backporting/ > > -- > Leon > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosHi Leon, I have gone through the article https://access.redhat.com/security/updates/backporting/. I am having a follow up question. Do I need to wait for the OpenSSL version 1.1.1d to be available on CentOS 7.x once it is tested in the upstream RHEL 7.x version? Please correct me if I misunderstood anything. I look forward to hearing from you and thanks in advance. Best Regards,
On Tue, Mar 03, 2020 at 07:02:40PM +0530, Kaushal Shriyan wrote:> I have gone through the article > https://access.redhat.com/security/updates/backporting/. I am having a > follow up question. Do I need to wait for the OpenSSL version 1.1.1d to be > available on CentOS 7.x once it is tested in the upstream RHEL 7.x > version? Please correct me if I misunderstood anything. I look forward to > hearing from you and thanks in advance.To quote the article:> We use the term backporting to describe the action of taking a fix > for a security flaw out of the most recent version of an upstream > software package and applying that fix to an older version of the > package we distribute.Basically, you'll likely never see version 1.1.1d in CentOS 7. Any software fixes will be backported to the version in CentOS 7, 1.0.2k. The release will be incremented as new updates in CentOS come out, but it'll continue to be 1.0.2k until Red Hat decides to do a rebase. That doesn't happen until there are features that are needed that are too difficult to backport. There have been OpenSSL rebases mid-release (in c5 and c6 I think), and I remember it caused a lot of problems, so I don't look forward to it. I think you need to back up and ask yourself *WHY* you are demanding the latest release of OpenSSL. Do you need features that are not available in the OpenSSL in CentOS 7? Is there an auditor saying you must have some version to be secure? If you must have versions of OpenSSL not in CentOS7, I suggest looking at packaging your application that uses SSL in a docker container that has that version available. Perhaps CentOS 8 will work for you. -- Jonathan Billings <billings at negate.org>
On Tue, Mar 3, 2020 at 7:32 PM Jonathan Billings <billings at negate.org> wrote:> On Tue, Mar 03, 2020 at 07:02:40PM +0530, Kaushal Shriyan wrote: > > I have gone through the article > > https://access.redhat.com/security/updates/backporting/. I am having a > > follow up question. Do I need to wait for the OpenSSL version 1.1.1d to > be > > available on CentOS 7.x once it is tested in the upstream RHEL 7.x > > version? Please correct me if I misunderstood anything. I look forward > to > > hearing from you and thanks in advance. > > To quote the article: > > > We use the term backporting to describe the action of taking a fix > > for a security flaw out of the most recent version of an upstream > > software package and applying that fix to an older version of the > > package we distribute. > > Basically, you'll likely never see version 1.1.1d in CentOS 7. Any > software fixes will be backported to the version in CentOS 7, 1.0.2k. > > The release will be incremented as new updates in CentOS come out, but > it'll continue to be 1.0.2k until Red Hat decides to do a rebase. > That doesn't happen until there are features that are needed that are > too difficult to backport. There have been OpenSSL rebases > mid-release (in c5 and c6 I think), and I remember it caused a lot of > problems, so I don't look forward to it. > > I think you need to back up and ask yourself *WHY* you are demanding > the latest release of OpenSSL. Do you need features that are not > available in the OpenSSL in CentOS 7? Is there an auditor saying you > must have some version to be secure? > > If you must have versions of OpenSSL not in CentOS7, I suggest looking > at packaging your application that uses SSL in a docker container that > has that version available. Perhaps CentOS 8 will work for you. > > -- > Jonathan Billings <billings at negate.org> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosThanks Jonathan and Leon for the explanation and much appreciated. Best Regards, Kaushal