Cross-posted with this coreos-status email.
OpenSSL has released fixes for two vulnerabilities in X.509 certificate verification. On affected releases, connecting to a malicious HTTPS server can result in a crash or potentially in remote code execution. The risk of remote code execution is believed to be mitigated by multiple factors. For more information, see the upstream and Red Hat advisories and the upstream blog post. In addition, software written in Go, including Ignition and the Podman stack, is not affected.
Fedora CoreOS will roll out a fix later today in out-of-cycle
next (37.20221021.1.1) and
testing (36.20221014.2.1) releases. These will be followed by regular releases tomorrow, including a fixed
Updates will be posted in the Fedora CoreOS tracker issue. If you have any questions or concerns, post a comment in the issue or contact us in
#fedora-coreos on Libera.Chat.