-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 1.x reaches EOL on September 11, 2023 #2048
Comments
Thank you for letting us know. We are working on an update for this, but do not have an ETA. I will close this issue to keep the list of open issues fresh. Feel free to reach out again if you feel it is necessary. |
I want to reopen and we shall provide ETA before closing this issue. |
Internal work item: 4254856 We will track it there. |
OpenSSL 1.x reached EOL yesterday. When can we expect this crucial security update from you? Or is Microsoft Azure going to sponsor the OpenSSL premium support contract to all customers that now have to rely on an otherwise insecure dependency? |
Just been bitten by this after an upgrade to .NET 8 and the new base images using version 3. We're developing an app that has to meet compliance requirements and the official line from Microsoft being "install a vulnerable dependency from source" is pretty poor. Is there any sort of ETA on this, especially given .NET 8 is now an official release? |
This item has been open without activity for 19 days. Provide a comment on status and remove "update needed" label. |
Just got bitten by the same issue. Is there any ETA, I'm not really a Linux person and don't want to build my own container. For now I could simple stick with our old container, this was just a framework update, no new features but this is very annoying. |
This functionality become very crucial nowadays, do you have ant ETA? |
This item has been open without activity for 19 days. Provide a comment on status and remove "update needed" label. |
Hey Guys, any update on this? |
We are actively working on it and hope to have a meaningful update soon. |
Maybe you could share some ETA with us? |
I still can't comprehend how the official microsoft docs contain a guide on how to compile an outdated OpenSSL version from scratch, just so we can use an Azure SDK. Is there at least a prebuilt .NET 8 image that we can use on Azure Web Apps? |
Can we get an update on this, we're having to delay a rollout because of this? |
Yup that's unfortunately not the case :( |
And also no word-timestamps for TTS, etc., etc. ..... why don't they just make a gRPC interface then the whole SDK would be obsolete .... ? |
I didn't even realise you could get timestamps for TTS? That would be so useful. Unfortunately, we've had so many issues with the SDK and now this, that we're having to use the http API directly. We have PCI compliance to think about, and all our assurances from Microsoft about the compliance of the service itself go out the window if we tell the auditors that we're using a known EOL version of OpenSSL to talk to the damned thing. |
Anyways, this is a major setback for us as because of this we cannot deploy to azure container apps (app boot fails on linux because of this). We tried windows app services and those performed soooo poorly doing speech to text it rendered them useless. In a nutshell, due to this issue we'll have to find a different SpeechToText and TextToSpeech provider instead of using cognitive services we were very happy with in the lab environment. Please fix this MS! |
If anyone is interested in working on a repo to implement the http api in java, hit me up :) |
To get the full feature set, you can also try implementing the WebSocket API. There is a Rust SDK that did this, and the official JavaScript SDK also does this and is fully open source. To see what requests the JS SDK makes, you can either read the source code (no clean room reverse engineering needed, it's MIT licensed, so go ahead and copy & translate whatever you need) or load it in the browser and have a look at the network tab. It's no rocket science, so while the WebSocket API is not officially documented it's still really easy to use. This way, you still get access to features like streaming responses or word boundary timestamps. |
This isn't too promising: MicrosoftDocs/azure-docs@06c39f8 |
We are still working on supporting the OpenSSL3.x for Linux, we will let you know the exact release date once that is known, probable ETA Q2 2024. |
For any .NET developers just wanting to get things working while awaiting OpenSSL3 support, adding this to my dockerfile got me back in business (adds legacy OpenSSL support to ASP.NET 8.0 container base image): FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base Credit to @joulgs https://gist.github.com/joulgs/c8a85bb462f48ffc2044dd878ecaa786 |
This worked for us deploying as docker: ROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy AS base |
We're currently trying to update to net8 since net 7.0 runs out of support on 14th of may. There are currently 6 high vulnerabilities as seen on: https://www.openssl.org/news/vulnerabilities-3.0.html |
Is there any update? Our Snyk is complaining about it a lot. |
python temporary solution : #2204 (comment) |
Or just use python:bullseye images:
Debian 11 is still supported and no need do a complicated ubuntu package installations on debian-based python images. |
Is there any update? |
OpenSSL 3.x support has been implemented and will be included in the Speech SDK 1.38.0 release coming this summer. |
Can we use snapshot version ? |
Is there a pre-release or beta version we can use now @pankopon to bridge the gap until the official summer release? |
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
Suggesting to install OpenSSL 1.x from source because it has been removed from all Linux distributions is bad advice and a potential security risk.
The text was updated successfully, but these errors were encountered: