Announcement

Collapse
No announcement yet.

Fedora 37 Release Delayed To Mid-November Over Critical OpenSSL Vulnerability

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora 37 Release Delayed To Mid-November Over Critical OpenSSL Vulnerability

    Phoronix: Fedora 37 Release Delayed To Mid-November Over Critical OpenSSL Vulnerability

    Fedora Linux 37 has been running behind schedule and today it was decided to push it back now to mid-November over a "critical" openSSL vulnerability yet to be made public...

    https://www.phoronix.com/news/Fedora-37-November-Delay

  • #2
    Whenever I hear another news about security issues.

    Comment


    • #3
      A very bad decision TBO.

      Release or not changes absolutely nothing. On the day of release any other vulnerability may be announced.

      Comment


      • #4
        Originally posted by birdie View Post
        A very bad decision TBO.

        Release or not changes absolutely nothing. On the day of release any other vulnerability may be announced.
        I actually agree. It's all "functional release candidate" software, at best. Someone out there way smarter than all of us combined will just find another hole to exploit. It had better be critical at the level of zero user interaction insta-pwn otherwise release it and have the updated OpenSSL version waiting in the pipe. Nothing to see here.

        Comment


        • #5
          Not knowing the details of the impending OpenSSL zero-day, I'm going to agree with the delay. If it's bad and the blackhats know how to explot it immediately after a fresh install, it's not worth the potential headaches not to delay the release until after it's ready. This is Fedora: release dates are targets, neither cast in stone nor cast stones.

          Comment


          • #6
            What would Fedora be without release delays?

            Comment


            • #7
              Oh joy, what did the NSA sabotage in that project this time?

              Comment


              • #8
                Originally posted by pipe13 View Post
                Not knowing the details of the impending OpenSSL zero-day, I'm going to agree with the delay.
                And all of the people in Fedora who make the decisions have come to the same conclusion.

                This is the first "Critical" vulnerability in OpenSSL since 2014 (Heartbleed). It is almost certainly bad and trivially exploited. It will not be clear until next Tuesday if the vulnerability could be properly mitigated with a day+n update after release (on Nov 1st, RH and the other members of the secret handshake club will have an update available, but Fedora will only be able to build an update after the fix is publicly available, and it takes time even for security updates to get deployed for existing releases, and for releases in the middle of the final release freeze, it can take even longer), but those who do know about the details have recommended Fedora wait.

                Comment


                • #9
                  Why is there a screenshot from a child's iPad in a Fedora article, Michael?

                  Comment


                  • #10
                    Yet another reason to continue to use LibreSSL.

                    Comment

                    Working...
                    X