hexpm/bob

Upcoming critical security update for OpenSSL

lawik opened this issue · 4 comments

lawik commented

OpenSSL has announced that a fix is coming on the 1st of Nov for a critical vulnerability in OpenSSL.

Some details here:
https://www.malwarebytes.com/blog/news/2022/10/critical-openssl-fix-due-november-1st-get-ready-to-patch

Checking the containers I run based on hexpm/elixir:1.12.3-erlang-24.3.4.4-ubuntu-jammy-20220428 they contain OpenSSL 3.0.2 and as such would be vulnerable. There is not a lot of reason to think this will affect the Erlang usage of OpenSSL since it is limited and particular but since we don't know what the vulnerability is I'd rather be prepared.

I assume Ubuntu will have a package ready to go via early embargo access but I don't know.
But I guess it could be appropriate to re-release updates of affected images when the fix is out?

Note that only Erlang/OTP 25.1 or later support OpenSSL 3.0, so I wouldn't expect earlier versions to be affected.

lawik commented

Interesting :)

The details of how it works at that level are beyond me. The container contains an openssl that reports 3.0.2 and it is an Erlang 24 container. Is there a separate OpenSSL packed in there for Erlang then or how does that work?

Either way I think a bunch of people with container-scanning tools and such will be told they have a critical vulnerability in their containers very soon.

Me, I'd rather just make sure I'm up to date and I'd rather not take on an Elixir + Erlang update to get there :)

When Ubuntu release their new images we can update to use them and trigger builds for them.

lawik commented

Great!