Is OpenSSL 1.0.2k Updated?
Running yum update openssl as advised on the Linux 2 security advisories like this one: https://alas.aws.amazon.com/AL2/ALAS-2022-1766.html doesn't update OpenSSL past version 1.0.2k.
My PCI scan continues to fail based on version 1.0.2k of OpenSSL being vulnerable.
Is Amazon updating OpenSSL to fix the vulnerabilities but not changing the version letter?
Hi
Yes, you are correct Amazon does backport security fixes for Amazon Linux 2, this means that Amazon takes fixes out of the most recent version of upstream software packages and applies it to the version of the package on Amazon Linux 2. The available version of openssl-1.0.2k is kept up to date with all security fixes for openssl.
Can review the Amazon Linux FAQs here: https://aws.amazon.com/amazon-linux-2/faqs/
Relevant questions
Amazon Linux 2 Apache package version update
asked 6 months agoAmazon Linux 2, Apache and Open SSL 1.1.x
asked 4 months agoHow to install openSSL 1.1.1 on AWS EC2 linux system?
asked 5 months agosudo yum update = HTTP Error 403 on Amazon Linux packages
asked 4 years agoWhen to update apache 2.4.52 on amazon linux ?
asked 6 months agoUnable to run openssl via child_process call in Node.js 10x
asked 3 years agoIs openssl11 on Amazon Linux 2 up-to-date with security patches?
asked 2 years agoApache and OpenSSL running on its EC2 instances bundled with RedHat Linux 8 are outdated, how to best resolve this
asked 7 months agoPackage not getting updated on AML2 through yum or Patch Manager
asked 22 days agoIs OpenSSL 1.0.2k Updated?
Accepted Answerasked a month ago