Context: on 2022-10-25 the OpenSSL team announced a security fix release for critical vulnerabilities. The severity level was, on the day of the release, downgraded to high.
TL;DR: this issue does and did not have any significant impact on the Tuleap project infrastructure or Tuleap deliverables.
Tuleap project infrastructure:
gerrit.tuleap.net was affected by the issue. Following the advisory release (~ 2022-11-01 15h44 UTC) we came to the conclusion the vulnerabilities could not be exploited in our context (2022-11-01 16h06 UTC). Patches have been applied since then (2022-11-02 05h18 UTC).
- OS packages are not impacted: Tuleap is deployed on CentOS / RHEL 7 where nothing depends on OpenSSL 3.
- the Git version Tuleap uses via its
tuleap-git-bin package links statically against OpenSSL 3.0.5 which is vulnerable. However, the code paths affected by it cannot be triggered within a normal usage of Tuleap (no communication overs HTTPS with a remote Git origin). As this does not present a significant threat we are waiting on nixpkgs binary cache to be up to date before upgrading.
- we use a vulnerable OpenSSL when fetching sources for our "additional packages" but due to the nature of the vulnerabilities it cannot be really exploited: it would require that a trusted CA sign a malicious certificate and to achieve an RCE it also requires to bypass the stack protection mechanisms. Nonetheless, we will update as soon as the nixpkgs binary cache are up to date.