This week, there was a high severity vulnerability announced by OpenSSL that affects versions 3.x.
We can confirm that Octopus Deploy depends on OpenSSL versions 1.x, which are not affected by this vulnerability. The OpenSSL vulnerability only affects servers configured to validate client certificates.
- Client certificate authentication is used by Octopus Tentacle communication to register with the Octopus Deploy Server. This is not affected because it currently depends on versions of OpenSSL 1.x.
- The OpenSSL version Octopus Tentacle is using is under support until 11th September 2023.
For more details on the OpenSSL vulnerability, check out this excellent write up published on the Datadog blog.
Related posts
Changes to the Octopus C# client library open source repository
The Octopus C# client library is moving into our monorepo
Modernizing the Process Editor for greater control over complex processes
Design updates to the Process Editor UI
Azure private networking for Octopus Cloud
Enterprise security meets deployment convenience. Discover how Azure Private Endpoints for Octopus Deploy Cloud eliminate the trade-off between private networking and managed SaaS platforms.
