We are currently using OpenSSL v. 3.0.4. We should upgrade to the latest release 3.1.0 (released 14 mar 2023).
Note that OpenSSL has been updated once before in 4.15.0 in bug 7961. When writing release notes for this bug, check what release notes already exist for this topic and update them if needed.
There have been a number of security fixes since the last update OpenSSL, the most relevant being:
* CVE-2022-4450 - Double free after calling PEM_read_bio_ex
* CVE-2022-2274 - Bug in RSA implementation for AVX512IFMA capable CPUs
For a full list of security fixes, see https://www.openssl.org/news/vulnerabilities.html
(In reply to Linn from comment #0)
> We should upgrade to the latest release 3.1.0 (released 14 mar 2023).
Correction - the latest stable release is v. 3.0.8 (released 8 feb 2023).
OpenSSL has been upgraded and as a consequence, the patch for CVE-2022-2274 is no longer needed since that CVE has been fixed upstream.
Tested with server on Fedora 37 and Ubuntu 20.04.
* Logging in with public key
- Key without password
- Key with password
- Non-authorized key
* Logging in with password
* Logging with Kerberos
* Logging in with smart card
Things seem to work well. I used client build 3174 and server build 3271 on Fedora 38. I verified the following:
* Public key authentication (regular, password protected, not in authorized_keys, invalid key file)
* Password authentication
* Kerberos authentication
* Smart card authentication
* Smart card redirection
* Sound redirection
The commit also looks fine, I compared it to previous times we have upgraded openssl.