How do we remove openssl 1.1.X after upgrading to 3.3.X via build and installing through source on AlmaLinux 8?

Owing to this OpenSSL 1.1.1 < 1.1.1za Vulnerability, we have decided to upgrade to OpenSSL 3.0.X or 3.3.X. The OS we use is AlmaLinux 8.X and we followed the steps to build the openssl from source and install it with the help of numerous articles out there. Here is our problem:

OpenSSL 1.1.X is still installed under DNF / YUM and removing it va dnf remove <package name> removes the dependent packages such as Git and WALinuxAgent, which are two important packages for our VMs to operate. They don’t recognize the new OpenSSL installed via source - they are added to the path and all that. Removing these packages and re-installing them reinstalls OpenSSL 1.1.X. How do we deal with a vulnerable package now?

How do we install openSSL 3.3.X and eliminate the dependency to openSSL 1.1.X from the existing and new packages ?

I tried to install by building the openSSL 3.3.X source and installing it. It worked but new or older packages installed via rpm don’t move their dependency from OpenSSL from 1.1.X to 3.3.X.

We did try to install the built packages via fpm but threw a conflicting library package error as below

Last metadata expiration check: 1 day, 18:52:13 ago on Mon Aug  5 15:53:23 2024.
Error:
 Problem: problem with installed package openssl-libs-1:1.1.1k-12.el8_9.x86_64
  - installed package openssl-libs-1:1.1.1k-12.el8_9.x86_64 obsoletes openssl < 1:1.0.1-0.3.beta3 provided by openssl-3.0.14-1.x86_64 from @commandline
  - package openssl-libs-1:1.1.1k-12.el8_9.x86_64 from baseos obsoletes openssl < 1:1.0.1-0.3.beta3 provided by openssl-3.0.14-1.x86_64 from @commandline
  - conflicting requests
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

cve-details tells that while ‘openssl’ in el8 is affected, the vulnerability:

is only exploitable if the application is misconfigured to use a zero-length server list and mishandles the ‘no overlap’ response in ALPN or uses the output as the opportunistic protocol in NPN.

Do the “Git and WALinuxAgent” do that?


One does not replace core system packages in Enterprise Linux. If you do and the system breaks – as is likely – then that is all on you.

1 Like

Understood and I got a response from AlmaLinux OS Foundation chat that most of the CVE are fixed via backporting and there is no need for us to update now. Yes, we won’t replace the system provided openssl as it breaks our other applications.