The developers of the Fedora project announced the postponement of the release of Fedora 37 to November 15 due to the need to fix a critical vulnerability in the OpenSSL library. Since the data on the essence of the vulnerability will be disclosed only on November 1 and it is not clear how long it will take to implement protection in the distribution, it was decided to postpone the release for 2 weeks. This is not the first postponement - initially the release of Fedora 37 was expected on October 18, but was postponed twice (to October 25 and November 1) due to failure to meet quality criteria.
There are currently 3 unfixed issues in final test builds that are classified as release-blocking. In addition to the need to fix a vulnerability in openssl, the kwin composite manager freezes when starting a Wayland-based KDE Plasma session when set to nomodeset (basic graphics) in UEFI and the gnome-calendar application freezes when editing recurring events.
The critical vulnerability in OpenSSL only affects the 3.0.x branch, the 1.1.1x releases are not affected. The OpenSSL 3.0 branch is already used in distributions such as Ubuntu 22.04, CentOS Stream 9, RHEL 9, OpenMandriva 4.2, Gentoo, Fedora 36, ββDebian Testing/Unstable. In SUSE Linux Enterprise 15 SP4 and openSUSE Leap 15.4 packages with OpenSSL 3.0 are available as an option, system packages use the 1.1.1 branch. Debian 1, Arch Linux, Void Linux, Ubuntu 11, Slackware, ALT Linux, RHEL 20.04, OpenWrt, Alpine Linux 8 remain on the OpenSSL 3.16.x branches.
The vulnerability is classified as critical, details have not yet been reported, but in terms of severity, the problem is close to the sensational Heartbleed vulnerability. The critical level of danger implies the possibility of a remote attack on typical configurations. Critical problems can be classified as problems that lead to remote server memory leaks, attacker code execution, or compromise of server private keys. The OpenSSL 3.0.7 fix fixing the problem and information about the nature of the vulnerability will be published on November 1st.
Source: opennet.ru