Owing to this OpenSSL 1.1.1 < 1.1.1za Vulnerability, we have decided to upgrade to OpenSSL 3.0.X or 3.3.X. The OS we use is AlmaLinux 8.X and we followed the steps to build the openssl from source and install it with the help of numerous articles out there. Here is our problem:
OpenSSL 1.1.X is still installed under DNF / YUM and removing it va dnf remove <package name>
removes the dependent packages such as Git and WALinuxAgent, which are two important packages for our VMs to operate. They donât recognize the new OpenSSL installed via source - they are added to the path and all that. Removing these packages and re-installing them reinstalls OpenSSL 1.1.X. How do we deal with a vulnerable package now?
How do we install openSSL 3.3.X and eliminate the dependency to openSSL 1.1.X from the existing and new packages ?
I tried to install by building the openSSL 3.3.X source and installing it. It worked but new or older packages installed via rpm donât move their dependency from OpenSSL from 1.1.X to 3.3.X.
We did try to install the built packages via fpm but threw a conflicting library package error as below
Last metadata expiration check: 1 day, 18:52:13 ago on Mon Aug 5 15:53:23 2024.
Error:
Problem: problem with installed package openssl-libs-1:1.1.1k-12.el8_9.x86_64
- installed package openssl-libs-1:1.1.1k-12.el8_9.x86_64 obsoletes openssl < 1:1.0.1-0.3.beta3 provided by openssl-3.0.14-1.x86_64 from @commandline
- package openssl-libs-1:1.1.1k-12.el8_9.x86_64 from baseos obsoletes openssl < 1:1.0.1-0.3.beta3 provided by openssl-3.0.14-1.x86_64 from @commandline
- conflicting requests
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)