Hello,
Given the vulnerabilities identified in OpenSSL version 3.1.0 and its inclusion in the latest Chef Client 18.5 release, I am concerned about the safety of using this version.
Could you please confirm if Chef plans to release an update addressing these OpenSSL 3.1.0 issues? Additionally, is it advisable to upgrade to OpenSSL version 3.2?
Thank you.
Chef Client 18.5.0, as installed from a package, should be packaged with an OpenSSL library version of 3.0.9 on non-Windows and 1.0.2zi on Windows, as 3.0.9 OpenSSL is the latest version of OpenSSL to be validated for FIPS. macOS is one exception, in which I believe the Ruby that is packaged with the installer simply uses the version available on the OS itself (LibreSSL).
This assumes that you're talking about the OpenSSL version that shows up if you run
ruby -ropenssl -e 'puts OpenSSL::OPENSSL_LIBRARY_VERSION' vs. the openssl from gem info openssl (which should be the 3.2.0 version of the openssl gem, only loosely related to the OpenSSL library itself.