Rocky Linux and Openssl 3.2.2

Hello,
Rocky Linux 9.5 upgraded openssl libs to 3.2.2
For us who cannot run dnf update for various reasons, this causes a lot of issues if only openssl is updated. It seems that Opnessl promises ABI compatability as long as .so version is the same, but some packages explicitly check openssl version and refuse to run, for example, updating only opnessl on 9.4 or earlier causes such issues:

  1. openssh does not accept new connections, it fails with the error:
    OpenSSL version mismatch. Built against 30000070, you have 30200020
  2. radiusd (at least compiled from source) fails with a similar error:
    libssl version mismatch. built: 30000070 linked: 30200020

Updating sshd and recompiling radiusd solves the issue.
So the main question is, how dangerous is it to run a system with updated ssl without running a full dnf/yum update. As far as I can see only a few packages (openssh, radiusd) explicitly check openssl versions, and others trust that updated openssl ABI will work.

Briefly, its dangerous. Its important to see the technical system as a conceptual system where every component brings their part in to make the technical system secure. This is also what was validated. Everything else is not verified.

It is dangerous to run your system(s) like that. Cherry picking updates or rebuilding only against a subset of updated packages is unsupported and will likely lead to system instability.

You are highly recommended to update your system to full.

1 Like