New CVE has come up for OpenSSL >= 3.0 (note we use openssl 1.x today)

[MikeFultonDev]

Note: this does not affect us yet because we are porting 1.x and not 3.x:

See: CVE for starter information
@IgorTodorovskiIBM @ejratl fyi

[IgorTodorovskiIBM]

Should we eventually move up to openssl 3.0? We're currently building off of Openssl 1.1, which I believe is not affected.

[MikeFultonDev]

Yeah - good point - I didn't realize when I opened this, that we were 1.x

[v1gnesh]

Was looking this up and found a reason for us to maybe switch to 3.x:

https://www.openssl.org/source/

Note: The latest stable version is the 3.1 series supported until 14th March 2025. Also available is the 3.0 series which is a Long Term Support (LTS) version and is supported until 7th September 2026. The previous LTS version (the 1.1.1 series) is also available and is supported until 11th September 2023. All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encouraged to upgrade to 3.1 or 3.0 as soon as possible. Extended support for 1.0.2 to gain access to security fixes for that version is available.

[IgorTodorovskiIBM]

Thanks @v1gnesh , we may want to consider dropping support for OpenSSL 1.1 if the projects that are dependent on openssl continue to work with Openssl 3.0 - https://github.com/ZOSOpenTools/meta/blob/main/docs/Progress.md#projects-with-the-most-dependencies and OpenSSL 3's API is mostly compatible with OpenSSL 1.1.