Fedora CoreOS fixes for OpenSSL CVE-2022-3602/CVE-2022-3786

Cross-posted with this coreos-status email.

OpenSSL has released fixes for two vulnerabilities in X.509 certificate verification. On affected releases, connecting to a malicious HTTPS server can result in a crash or potentially in remote code execution. The risk of remote code execution is believed to be mitigated by multiple factors. For more information, see the upstream and Red Hat advisories and the upstream blog post. In addition, software written in Go, including Ignition and the Podman stack, is not affected.

Fedora CoreOS will roll out a fix later today in out-of-cycle next (37.20221021.1.1) and testing (36.20221014.2.1) releases. These will be followed by regular releases tomorrow, including a fixed stable (36.20221014.3.0).

Updates will be posted in the Fedora CoreOS tracker issue. If you have any questions or concerns, post a comment in the issue or contact us in #fedora-coreos on Libera.Chat.