openssl-fips-provider #14019
Unanswered
jdonovan1013
asked this question in
2.4
openssl-fips-provider
#14019
Replies: 1 comment
-
|
I see that the updated openssl that also had a CVE was pulled down on Dec. 1st. We were not explicitly pulling openssl-fips-provider down since its a dependency of systemd. I tried to install the version that is mentioned in the CVE manually, but systemd blocked it. It will have to wait until systemd is updated for it to actually install. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Version
2.4.60
Installation Method
Security Onion ISO image
Description
other (please provide detail below)
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Meets minimum requirements
CPU
4
RAM
24
Storage for /
100
Storage for /nsm
215
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Our vulnerability scanners are reporting that there is a vulnerability present in the installed version of "openssl-fips-provider" in our SecurityOnion servers. We have reviewed, and the reported version numbers appear to be correct. The updated version does not appear to be available in the update repository.
The Oracle reference number for the vulnerability is ELSA-2024-9333.
Installed version: openssl-fips-provider-3.0.7-2.0.1.el9
Updated versrion: openssl-fips-provider-3.0.7-6.0.1.el9_5
Is this patch being held for a specific reason? Is it anticipated that the patch will be come available in the near future?
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions