- Newest
- Most votes
- Most comments
The only entry listed on the Amazon Linux 2 Security Patches page https://alas.aws.amazon.com/alas2.html for openssl11 is ALAS2-2020-1456 https://alas.aws.amazon.com/AL2/ALAS-2020-1456.html. It says it was released July 2020, which makes me think that it'd be up-to-date, but the CVEs mentioned there don't line up with the April 2020 CVE listed on the OpenSSL page https://www.openssl.org/news/vulnerabilities-1.1.1.html. So I'm just pretty confused as to what's exactly up-to-date where.
Ah, I think I see what's happening now. CVE-2020-1967 didn't affect 1.1.1c, so in fact all security patches have been applied to the openssl11 packages. (Well, maybe not CVE-2020-1971 that just was announced today, but hopefully we'll see them patching that soon too.)
Hopefully reading through this confusion of mine helped someone else, though. :)
And indeed, they just patched CVE-2020-1971 for both openssl and openssl11.
https://alas.aws.amazon.com/AL2/ALAS-2020-1573.html
All my fears that they weren't paying attention to updates are assuaged. Thanks!
openssl11, while still at version 1.1.1c is receiving full support. As others have noted in this thread, we have been backporting patches for vulnerabilities that we have found to be applicable to 1.1.1c and we intend to keep updating the openssl11 package in the future.
Relevant content
- Accepted Answerasked 8 months ago
- asked 5 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago