We have OpenSSL 3.4.1 in Cenbuild. Currently, the latest version of OpenSSL is 3.5.1, and it looks like it includes a fix for one CVE [1]: CVE-2025-4575: Impact summary - If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that use. [1] https://openssl-library.org/news/vulnerabilities-3.5/#CVE-2025-4575
CVE-2025-4575 only affects versions from 3.5.0 before 3.5.1, which means our OpenSSL 3.4.1 was never affected.
The release notes for OpenSSL 3.5 can be found here: https://github.com/openssl/openssl/blob/master/CHANGES.md#openssl-35
OpenSSL has now been upgraded to 3.5.1. It built without problem for all Cenbuild architectures, and using those packages, I could build the client-zip successfully. Using the newly built RPM client, I was able to connect to both a RHEL9 server and a Fedora 42 server. > MUST: > > * OpenSSL included in ThinLinc should not have any known security issues affecting ThinLinc users It doesn't. > SHOULD: > > * The latest stable OpenSSL should be included in ThinLinc Yep.
I also tested smart-card authentication on Windows 11, macOS 15.5, and Fedora 42 as part of testing bug 8619. Smart card authentication uses OpenSC, which in turn uses OpenSSL.
