Is OpenSSL 1.0.2k Updated?
Running yum update openssl as advised on the Linux 2 security advisories like this one: https://alas.aws.amazon.com/AL2/ALAS-2022-1766.html doesn't update OpenSSL past version 1.0.2k.
My PCI scan continues to fail based on version 1.0.2k of OpenSSL being vulnerable.
Is Amazon updating OpenSSL to fix the vulnerabilities but not changing the version letter?
Yes, you are correct Amazon does backport security fixes for Amazon Linux 2, this means that Amazon takes fixes out of the most recent version of upstream software packages and applies it to the version of the package on Amazon Linux 2. The available version of openssl-1.0.2k is kept up to date with all security fixes for openssl.
Can review the Amazon Linux FAQs here: https://aws.amazon.com/amazon-linux-2/faqs/
Amazon Linux 2 Apache package version updateasked 6 months ago
Amazon Linux 2, Apache and Open SSL 1.1.xasked 4 months ago
How to install openSSL 1.1.1 on AWS EC2 linux system?asked 5 months ago
sudo yum update = HTTP Error 403 on Amazon Linux packagesasked 4 years ago
When to update apache 2.4.52 on amazon linux ?asked 6 months ago
Unable to run openssl via child_process call in Node.js 10xasked 3 years ago
Is openssl11 on Amazon Linux 2 up-to-date with security patches?asked 2 years ago
Apache and OpenSSL running on its EC2 instances bundled with RedHat Linux 8 are outdated, how to best resolve thisasked 7 months ago
Package not getting updated on AML2 through yum or Patch Managerasked 22 days ago
Is OpenSSL 1.0.2k Updated?Accepted Answerasked a month ago