Due to some stability and security issues, the release of Fedora 37 is delayed again
Recently developers of the Fedora project announced the postponement of the release of Fedora 37, which was scheduled to be released on October 18, but due to security problems, the new release date has been postponed to November 15, this as already mentioned due to the need to correct a critical vulnerability in the OpenSSL library.
Since the data on the essence of the vulnerability will be disclosed only on November 1 and it is not clear how long it will take to implement the protection in distribution, it was decided to postpone the release for 2 weeks.
Due to outstanding crash bugs[1], F37 Final Release Candidate 3 was declared a NO-GO. Due to the upcoming critical OpenSSL vulnerability disclosure, we are moving the next target date forward by one week.
The next final Fedora Linux 37 Go/No-Go meeting[3] will be held at 1700 UTC on Thursday, November 10 at #fedora-meeting. We will be aiming for the “target date #3” milestone of November 15th. The release schedule has been updated accordingly.
This isn't the first time Fedora's release has been rescheduled. 37 for October 18, but was delayed twice (to October 25 and November 1) due to quality criteria not being met.
There are currently 3 unresolved issues in the final test builds that are classified as release lock, about the problem with OpenSSL the following is mentioned:
This affects common configurations and they are also likely to be exploitable. Examples include significant disclosure of server memory contents (potentially revealing user details), vulnerabilities that can be easily exploited remotely to compromise server private keys, or where remote code execution is considered likely in common situations. These issues will be kept private and will result in a new version of all supported versions. We will try to solve them as soon as possible.
About the critical vulnerability in OpenSSL, it is mentioned that this only affects the 3.0.x branch, so versions 1.1.1x are not affected. The problem is also that the OpenSSL 3.0 branch is already used in distributions like Ubuntu 22.04, CentOS Stream 9, RHEL 9, OpenMandriva 4.2, Gentoo, Fedora 36, Debian Testing/Unstable.
In SUSE Linux Enterprise 15 SP4 and openSUSE Leap 15.4, packages with OpenSSL 3.0 are available as an option, system packages use the 1.1.1 branch. Debian 11, Arch Linux, Void Linux, Ubuntu 20.04, Slackware, ALT Linux, RHEL 8, OpenWrt, Alpine Linux 3.16 remain in the OpenSSL 1.x branches.
The vulnerability is classified as critical, Details have not been reported yet, but in terms of severity, the issue is close to the sensational Heartbleed vulnerability. The critical level of danger implies the possibility of a remote attack on typical configurations. Critical issues can be classified as issues that lead to remote server memory leaks, attacker code execution, or server private key compromise. The OpenSSL 3.0.7 fix that fixes the problem and information on the nature of the vulnerability will be published on November 1.
In addition to the need to fix a vulnerability in openssl, kwin composite manager freezes when starting a Wayland based KDE Plasma session when set to nomodeset (basic graphics) in UEFI, this happens because simpledrm incorrectly advertises 10-bit pixel formats in native 8-bit frame buffers.
The other problem that is presented, is in the application gnome-calendar freezes when editing recurring events and it is that when a recurring event is added that extends weekly until a certain date in the future, that is, for several weeks, it can no longer be edited or deleted. This leads to any attempt to open the event freezing the app and bringing up a "Force Quit" dialog which must eventually be used to exit the app.
Finally if you are interested in knowing more about it, you can check the details in the following link.