Almalinux 8.5 - update openssl 3


How can i update openssl 1.1.1 to latest 3.0.7 version on Almalinux 8.5?

Alma Linux 8.5 is not affected by the cve-2022-3602 and cve-2022-3786 vulnerabilities because it uses openssl 1.1.1.
However, since openssl 1.1.1 will be unsupported on September 11, 2023, I would like to upgrade the server side to version 3.0.7.

Kind Regards,

dnf up

That is, install whatever updates become available.

Red Hat maintains the packages that are in RHEL. RHEL 8 lives to 2029. It will have a maintained openssl all the way.

Btw, Alma 8 is now 8.7. No longer 8.6 and definitely not 8.5 any more.

1 Like

Hello Jlehtone,

I dnf uped, after that, I installed the following two EPEL repolist.
After that, I typed sudo yum install openssl3, then, 3.0.1-43.el8.1 was installed.
Is this version is fixed cve-2022-3602 and cve-2022-3786 vulnerabilities?
I did dnf up without adding EPEL, but openssl3 was not installed.

Please let me know if you know of any page where I can check if 3.0.1-43.el8.1 is the version that addresses the cve-2022-3602 and cve-2022-3786 vulnerabilities.

epel Extra Packages for Enterprise Linux 8 - x86_64
epel-next Extra Packages for Enterprise Linux 8 - Next - x86_64

[root@ip ~]# sudo yum install openssl3
Last metadata expiration check: 0:10:59 ago on Fri 11 Nov 2022 04:45:37 PM JST.
Dependencies resolved.
** Package Architecture Version Repository Size**
** openssl3 x86_64 3.0.1-43.el8.1 epel 1.1 M**
Installing dependencies:
** openssl3-libs x86_64 3.0.1-43.el8.1 epel 2.4 M**

Kind Regards,

Lets say again:

  • Alma 8 has same packages as RHEL 8
  • RHEL 8 has some version of openssl. The openssl is a core package that several services depend on. They are built to use the openssl that RHEL 8 has
  • Red Hat does support the version of openssl that is in RHEL 8. They do backport fixes and features. See What is backporting and how does it affect Red Hat Enterprise Linux (RHEL)? - Red Hat Customer Portal
  • RHEL 8 (and hence Alma 8) will have supported version of openssl its entire life-cycle
  • EPEL is extra packages – volunteer additions; no SLA like RHEL content

The “server” will not automatically use openssl3; you would have to replace all applications/services with versions that do. It would be easier to switch to distro that does have openssl3 natively. For example, AlmaLinux 9.

That said, run:

rpm -q --changelog openssl3 | less

That is where CVEs are usually mentioned.


Thank you very much for your kind response.

I have confirmed that openssl3-3.0.1-43.el8.1.x86_64.rpm has the fix for this vulnerability, although I downloaded it from EPEL.

  • CVE-2022-3602: X.509 Email Address Buffer Overflow
  • CVE-2022-3786: X.509 Email Address Buffer Overflow
    Resolves: CVE-2022-3602

I am currently using OpenVPN Access Server on Alma Linux, but since OpenVPN Access Server is only supported on RHEL 7 and RHEL 8, and since it seemed difficult to upgrade the entire OS from Alma Linux 8.6 to Alma Linux 9 I was looking for a fix for the openss3 vulnerability that works on AlmaLinux 8.

Kind Regards,