I've noticed that the version of OpenSSL in the Amazon Linux repository is 3.2.2, and its end-of-life (EOL) is approaching on November 23, 2025. Is there any plan from AWS to upgrade to a newer version, such as 3.5 or 3.6 (which are LTS)? According to the OpenSSL project, version 3.5 will be supported until April 8, 2030, and version 3.4 until October 22, 2026. I'm concerned about security support and would like to know how AWS will handle this update.
4 Answers
AWS might be able to manage current support by backporting fixes from the LTS version for a while. That seems like a feasible strategy for them.
As far as I see it, the current OpenSSL package will still receive security updates until June 30, 2029. You can check more details from the AWS docs to get the latest info on package support.
You might want to consider submitting a feature request over on the Amazon Linux 2023 GitHub page. It could get the attention of their development team!
It's kind of surprising they rely on user-submitted requests when they have a full team. Maybe they should prioritize this need more directly!
Yeah, many distributions out there typically backport patches to ensure security, so I'm sure AWS might follow a similar approach.
That's good to know, but they need to clarify which version of OpenSSL that applies to; it’s not specifically mentioned.