Is OpenSSL 1.0.2k Updated?
Running yum update openssl as advised on the Linux 2 security advisories like this one: https://alas.aws.amazon.com/AL2/ALAS-2022-1766.html doesn't update OpenSSL past version 1.0.2k.
My PCI scan continues to fail based on version 1.0.2k of OpenSSL being vulnerable.
Is Amazon updating OpenSSL to fix the vulnerabilities but not changing the version letter?
- Tags
- Security
- Language
- English
asked 4 years ago7.9K views
- Newest
- Most votes
- Most comments
Hi
Yes, you are correct Amazon does backport security fixes for Amazon Linux 2, this means that Amazon takes fixes out of the most recent version of upstream software packages and applies it to the version of the package on Amazon Linux 2. The available version of openssl-1.0.2k is kept up to date with all security fixes for openssl.
Can review the Amazon Linux FAQs here: https://aws.amazon.com/amazon-linux-2/faqs/
Relevant content
asked 2 years ago
- Accepted Answer
asked 3 years ago
- Accepted Answer
asked 4 years ago
