Trying to patch a vulnerability and understand OpenSSL versions in Amazon Linux 2
Hello, A vulnerability scan on our EC2 instance is revealing it is susceptible to CVE-2022-1292 an so I am trying to patch it to keep it secure. My currently installed version of OpenSSL is
openssl.x86_64 1:1.0.2k-24.amzn2.0.4 @amzn2-core
This is the newest available version of the openssl package in the yum repository, but (from the linked CVE page): "[The vulnerability is] Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd)." meaning I am a few versions behind where I need to be.
How can I reconcile this? Thanks.
- Language
- English
asked 4 years ago2.8K views
- Newest
- Most votes
- Most comments
Hi there
Please take a look at this answer
https://repost.aws/questions/QUaugGX-qTQAGlNnaQil5zig/is-open-ssl-1-0-2-k-updated
From the Amazon Linux 2 FAQ (https://aws.amazon.com/amazon-linux-2/faqs/)
Q. What is included in the Long Term Support for Amazon Linux 2?
Long-term support for Amazon Linux 2 only applies to core packages and includes:
1) AWS will provide security updates and bug fixes for all packages in core until June 30, 2024.
From https://alas.aws.amazon.com/AL2/ALAS-2022-1801.html:
The latest package for addressing (CVE-2022-1292) is
openssl-1.0.2k-24.amzn2.0.3.x86_64
Relevant content
asked 2 years ago
- Accepted Answer
asked 3 years ago
- Accepted Answer
asked 3 years ago
