Should we expect a new release or docker image rebuild for when the OpenSSL CVE/patch lands tomorrow?
10/31/2022, 6:39 PM
Hey @wtheaker, I’ve reached out to the team and we’re digging in to this. Will have an answer for you shortly!
10/31/2022, 6:56 PM
Open the osquery side, OpenSSL 1.x is in use, which is not affected.
On the Fleet server side, we use go, which has its own TLS implementation. We know go plans to release a security update tomorrow, and it does not look like it will be to fix the same issue in their TLS implementation.
It is not impossible other TLS implementations will have similar vulnerabilities so we will look closely at the updates to see if any require an emergency update.
So TL;DR -> It is unlikely we will need to release an emergency update tomorrow.
I meant “on” the osquery side but for some reason Slack won’t let me edit 🙂