Our office subscribes to the Cybersecurity and Infrastructure Security Agency's "Web Application Scanning" report. They have been dinging us for a while with vulnerability issues in openssl 1.1.1w and are advising upgrading to 1.1.1x which fixes the problem. 1.1.1w is the latest available for Slackware 15.0.

Does anyone have any idea when 1.1.1x will be part of the standard release?

I see that Slackware-current has openssl 1.1.1x. Can I just download and install that package or will that mess up all kinds of things?

Thanks

Slackware current provides openssl-1.1.1w, AFAIK there's no public 1.1.1x release.

I suggest to ask to these people who advise you to upgrade to the newer version where to get it.

version > 1.1.1w are only available with openssl premium support (US$50,000 annually)

https://www.openssl.org/support/cont...2377ab439bc0e8

The git branch shows no checkins for 1.1.1x.
https://github.com/openssl/openssl/c..._1_1_1-stable/

Also, when 1.1.1w was released, the openssl team declared 1.1.1 EOL. I doubt there are anymore vulnerability fixes, as they will charge money for it.

Are they trying to get you to upgrade to version 3.x, and their message is just wrong?

There is already 1.1.1y for paying customers.

According to https://www.openssl.org/news/vulnerabilities-1.1.1.html there are three issues in 1.1.1w:

• CVE-2023-5678 Excessive time spent in DH check / generation with large Q parameter value [LOW severity] 06 November 2023
• CVE-2024-0727 PKCS12 Decoding crashes [Low severity] 25 January 2024
• CVE-2024-2511 Unbounded memory growth with session handling in TLSv1.3 [Low severity] 08 April 2024

1 members found this post helpful.

In slackware current there is https://mirrors.slackware.com/slackw...w-x86_64-1.txz (openssl-solibs-1.1.1w). I don't know if that would be sufficient, but there is no corresponding openssl 1.1.1w.
Ha ha ha ha ha! Right, I'm gonna fork over $50K.
They did say that versions 3.0.14, 3.1.6 and 3.2.2 don't have the vulnerability. Does anyone know if there will be a Linux/Slackware release of these versions any time soon?
And to whom does one pay? If it's the same $50K as mentioned by ponce, I can't imagine why anyone would pay that, especially for low severity problems.
So, these issues are all low severity. The worst consequence it seems is "excessive time" (CVE-2023-5678) or the system crashes (CVE-2024-0727, CVE-2024-2511). Nothing about infiltration or data exfiltration.

I don't see why this is a big deal.

As Linux is supposed to be a free distro, I would assume they'll be coming out with a new version of openssl one of these day, yes?

Indeed, the proposition seems ludicrous.

Reading the disclosures on the 3 vulnerability fixes at the link shared, I think most people would not be affected by those bugs. I think with some research, you can determine if you can keep using 1.1.1w and report back to your compliance people that you are not using a vulnerable configuration.

Slackware current has openssl 3.3.0. There's your other option if you want to upgrade. Or you might be able to backport it and recompile the applications you are using.

1 members found this post helpful.

There are plenty of vendors who use OpenSSL in their appliances who cannot easily upgrade them to a newer version of OpenSSL, as it requires lots of work. Such vendors take out the extended support contract to bridge the gap until those appliances can either be upgraded or they're EOL. Customers often pay vendors (RH, MS and I'm sure Canonical (Ubuntu) too) eye watering sums for the vendor to continue supporting an EOL OS or product because they cannot upgrade easily.

OpenSSL ________ eol
3.3 _____________ 10 Apr 2026
3.2 _____________ 23 Nov 2025
3.1 _____________ 14 Mar 2025
3.0 (LTS)_________ 07 Sep 2026

Well the Slackware team are incredible but the latest version of OpenSSL 3 is 3.0.13 But a little backport would be welcome (eudev-3.2.14 is a nightmare, without offense for eudev devs).

No, it's not. The latest stable version is 3.2.1 and the latest non-stable is 3.3.0 (https://www.openssl.org/source/).

The latest LTS version is the 3.0.13 mentionned above.

ntp-4.2.8p17
ntp-4.2.8p18
"ntp-4.2.8p18 fixes somewhere between 2 and 3 dozen bugs."
SCaLE 21x Slides and Speaker Notes.pdf

I've snagged stuff from Slackware-current before and built on the "official" release. Sometimes it's worked, sometimes not. openssl seems like it would have it's tentacles in lots of other packages and I'm doubtful the attempt would be successful.

Since it's a decade-ish between new Slackware releases and openssl 1.1.1 is already at EOL, maybe the Slackware folks will come out with an openssl upgrade for 15.0 sooner rather than later.