RedHat 8.6 libk5crypto.so.3 misses symbol EVP_KDF with openssl 1.1.1l

[Tomas Mraz]

Red Hat backports security fixes to older versions so if you keep your
RHEL installation up-to-date with 'yum update' you should not need to
install newer upstream releases on the system.

Regards,

Tomas Mraz

On Tue, 2022-11-08 at 08:51 +0100, Matthias Apitz wrote:
> El día martes, noviembre 08, 2022 a las 08:26:54a. m. +0100, Tomas
> Mraz escribió:
> 
> > Hi,
> > 
> > Red Hat patches its OpenSSL implementation with some additional API
> > calls. That means you cannot use builds from an unpatched upstream
> > OpenSSL tarball in place of the system libcrypto and libssl
> > libraries.
> > 
> > The proper way is to always obtain updated system packages from
> > your
> > vendor, i.e., Red Hat. Otherwise you would have to try to update
> > the
> > source rpm package from RHEL with new openssl version keeping the
> > patches that Red Hat adds to it. That is definitely not a trivial
> > endeavour.
> > 
> > If, for some reason, you need newer OpenSSL package for some
> > particular
> > application that you install to the system, it should be possible
> > to
> > keep the system openssl package untouched, install the upstream
> > OpenSSL
> > package somewhere into /opt or /usr/local, and link that
> > application
> > against this installation of OpenSSL.
> > 
> > The primary question to ask is - why do you need to install
> > openssl 1.1.1l on RHEL-8.6?
> > 
> > Tomas Mraz, OpenSSL
> 
> Thanks for your answer and explanation. We updated all our server on
> SuSE
> Linux SLES and RedHat to openssl 1.1.1l due to an announced security
> problem (do
> not remember the CVE, perhaps you will know better). The RH 8.6
> server
> has:
> 
> # /usr/bin/openssl version
> OpenSSL 1.1.1k  FIPS 25 Mar 2021
> 
> we use:
> 
> # /usr/local/sisis-pap/bin/openssl version
> OpenSSL 1.1.1l  24 Aug 2021
> 
> and have linked all our application servers agains this version.
> 
>         matthias
> 
> 

-- 
Tomáš Mráz, OpenSSL