We(Photon OS) see that the current version of openssl used in shim is 1.0.2k and there are open CVEs on this version. We understand that all the reported CVEs on 1.0.2k+ might not be applicable to shim given the limited code and interfacing. The 1.0.2 series only has premium support and most distributions are moving to openssl 3.0.

Are there any plans to migrate shim to use openssl 3.0?

We understand the concern with having CVEs open and encourage others to evaluate them. I will say that we do check CVEs as they go by and to our knowledge we are not affected.

shim will never be a component that always uses the latest version of openssl. Think about signing - we're not going to force all shims to be resigned just because a new openssl version to drop - nor is it realistic to load Microsoft just based on this. So this state is somewhat inevitable.

Conversations are underway about updating, but I can say that it will be slower than you'd like :)

Thanks for the response. We will migrate to 15.6 short term. Is there any other open ticket for the openssl upgrade to track? (I can keep this ticket open as well).

If you need something to point at, this is probably best.

Thanks.