We currently have OpenSSL 3.0.8 in our build system. The latest stable version is 3.2.0, and there have been some security fixes since our last upgrade. Some of those fixes might be relevant for us.
These are the security fixes OpenSSL has listed: * CVE-2023-5678, CVE-2023-3817, CVE-2023-3446 Might affect us as ssh uses Diffie-Hellman. Note that it is only a denial-of-service, which doesn't have as much effect on a client. * CVE-2023-5363 OpenSSH doesn't use those functions, so shouldn't impact us. * CVE-2023-4807 OpenSSH uses POLY1305, so likely affects our users. Fortunately, OpenSSL deems this as a low-risk issue, with denial-of-service the most likely consequence. * CVE-2023-2975 Unlikely to affect us as OpenSSL states they do not know of any application affected by this. * CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464 X.509 isn't used by OpenSSH. * CVE-2023-1255 We don't have a 64-bit ARM build.
This bug got tested as part of testing of bug 8281. Everything should be upgraded and working fine. > MUST: > > * OpenSSL included in ThinLinc should not have any known security issues > affecting ThinLinc users We're running the latest version, so we should have fixes for all known issues. > SHOULD: > > * The latest stable OpenSSL should be included in ThinLinc Indeed we are. This can be confirmed via the client log file.
I agree with comment 6; > MUST: > > * OpenSSL included in ThinLinc should not have any known security issues > affecting ThinLinc users ✅ I can see that version 3.2.0 (which is the latest version at the moment) is available in our build system. > SHOULD: > > * The latest stable OpenSSL should be included in ThinLinc ✅ Running tlclient in debug mode results in the following line in tlclient.log: > 2024-01-05T13:18:39: ssh[E]: OpenSSH_9.6p1, OpenSSL 3.2.0 23 Nov 2023 which shows that the client is using the up-to-date version. Closing.
