Hello,
Rocky Linux 9.5 upgraded openssl libs to 3.2.2
For us who cannot run dnf update for various reasons, this causes a lot of issues if only openssl is updated. It seems that Opnessl promises ABI compatability as long as .so version is the same, but some packages explicitly check openssl version and refuse to run, for example, updating only opnessl on 9.4 or earlier causes such issues:
- openssh does not accept new connections, it fails with the error:
OpenSSL version mismatch. Built against 30000070, you have 30200020 - radiusd (at least compiled from source) fails with a similar error:
libssl version mismatch. built: 30000070 linked: 30200020
Updating sshd and recompiling radiusd solves the issue.
So the main question is, how dangerous is it to run a system with updated ssl without running a full dnf/yum update. As far as I can see only a few packages (openssh, radiusd) explicitly check openssl versions, and others trust that updated openssl ABI will work.