Many people are concerned about recently announced OpenSSL vulnerabilities (CVE-2022-3786 and CVE-2022-3602). However, none of the VyOS versions ever released are vulnerable. Those vulnerabilities affect only OpenSSL version 3.0.x, while VyOS uses 1.1.1n in the 1.3.x LTS line and in the nightly builds of the upcoming 1.4 release, and that version is not vulnerable.
VyOS version | Debian base system | OpenSSL version |
---|---|---|
1.4.x nightly | Bullseye | 1.1.1n |
1.3.x LTS | Buster | 1.1.1n |
1.2.x legacy | Jessie | 1.0.1t |
For the record, that's also how we avoided having to make an emergency release for the Heartbleed vulnerability back in 2014: the OpenSSL version we had in our base system at the time was older than the code that introduced the bug. Sometimes sticking to older versions of fundamental libraries does pay off.
In any case, we are working on 1.2.9 and 1.3.3 releases, and we'll roll them out when they are ready — there's just no need to hurry up with it yet.