Bump puppet-agent's bundled openssl to address CVE-2024-5535

puppetlabs / puppet-runtime

runtime dependencies for Vanagon projects

Apache License 2.0

5 stars 88 forks source link

Bump puppet-agent's bundled openssl to address CVE-2024-5535 #872

Closed cthorn42 closed 4 days ago

cthorn42 commented 2 months ago

Details are listed here: https://www.openssl.org/news/secadv/20240627.txt Highlights are:

rated low
haven't released a fix yet

Puppet-agent 7.31.0 has OpenSSL version 1.1.1v (patched of course) and puppet-agent 8.7.0 has OpenSSl version 3.0.13. When a fix for this CVE is released we should patch the former and upgrade the later.

joshcooper commented 2 months ago

Should we move this issue to the puppet-runtime project since that's where the fix will land?

github-actions[bot] commented 2 months ago

Migrated issue to PA-6699

joshcooper commented 4 days ago

puppet 7/openssl 1.1.1 fixed in https://github.com/puppetlabs/puppet-runtime/pull/899 puppet 8/openssl 3.0.x fixed in https://github.com/puppetlabs/puppet-runtime/pull/894