Ensure security bugs always have a tag attached
Dimitri John Ledkov (Chainguard) Tue 14 Oct 2025 12:12PMPublicSeen by 146When a CVE is announced, and committed to stable branches without a tagged release it creates automation problems.
Severity or classification of CVE does not matter. This should apply to all security issues, regardless of their severity or classification.
CVE databases in various scanners have to either declare that there is no known version of software that contains the fix. Or they have to declare a next/future/non-existent version as the one containing the fix. This can cause issues as users demand upgrades to OpenSSL of a version that does not exist.
Other projects always use semver versions and always tag releases containing a security fix. Doing so could help OpenSSL project, especially if it is done on lightweight basis without "full" point release machinery.
If CVE gets announced together with a point release - things are great, as there are correct references everywhere w.r.t. versions of software that have the fix.
CVE-2025-4575 was announced on 22nd of May 2025 without being tagged. A 3.5.1 release came out July 1st. During that time between 22nd of May 2025 until July 1st, a lot of manual things had to happen, which could have been avoided with a nano tag. Specifically individual distributions had to cherry-pick patches; create advisories; publish advisories; ensure security scanners pick up the advisories; and then eventually all of that work was thrown away once 3.5.1 was released and upgraded to.
Here is a proposal for an alternative approach:
If CVE is disclosed, and stable branches are not ready for release
Pick the last released tag. In above example for CVE-2025-4575 that would be 3.5.0.
Apply security fixes to 3.5.0, ideally conflict free - for example without updating CHANGES.md NEWS.md openssl version string. OR ensure that updates to such volatile files are done in separate commits. This is to ensure that cherry-picking patches to different branch points is as easy as possible for distributions.
Create a micro-tag of such security-only bugfix. In this example 3.5.0.1.
Merge 3.5.0.1 into stable branch
Publish CVE disclosure mentioning that CVE is fixed in 3.5.0.1
Above achieves multiple goals:
distributions/packagers that can upgrade, can perform git checkout a tag and build from it; or download github autogenerated tarball and build from it
automation to upgrade package in all distributions just works (debian uscan, fedora release monitoring, etc)
those that need to cherry-pick patches, can do so with automatic git cherry-pick most of the time, as files that cause conflicts are in separate commits (updates to CHANGES.md NEWS.md, openssl version string).
those tracking snapshots of the stable branches, know the difference with git describe if they are before/after 3.5.0.1 barrier, as git describe counting number of commits resets
Note that the goals are to ensure there is a tag for a disclosed CVE always, to always have semver compatible reference to version numbers that contain a fix.
One can achieve the above goal in different ways too. For example to avoid introducing nano-versions, one can also do:
branch of the first commit after last tag 3.5.0, that bumps version number
apply security patches, tag normal 3.5.1, add commit that bumps dev version to 3.5.2
merge that into stable branch upon disclosure
such that 3.5.1 security release only has security fixes, without the rest of stable updates not yet ready for release, and stable branch gains 3.5.1 tag and effectively moves all outstanding changes to be released as part of 3.5.2
Another alternative, is to simply always cut a point release when CVE happens, irrespective of the CVE severity or impact analysis.
Examples of projects that ensure all CVE fixes have tagged releases are:
golang
x/net
x/crypto
They always tag a release, and it is either security-only fixes; or a regular non-security point release.
Thus golang never has this situation - "You can find fixes in these git commit hashes, good luck cherry-picking those - or well be vulnerable for multiple weeks until a stable point release is actually made".
Note, this is a request/proposal, but I have no stake in the game, as I do not handle publication of OpenSSL CVEs, but I am consuming them. If tags are created for CVE fixes, it would help automatically ingesting and upgrading OpenSSL in all the distributions as most have automation to handle upgrades of software versions.
Neil HormanTue 14 Oct 2025 1:01PM
+1 to @Tomas Mraz 's suggestion, It seems the only issue here is with low severity CVE's that get fixed in public without disclosure co-ordination. Using githubs advisory infrastrucute for all CVE's seems like it will resolve the problem.
Dimitri John Ledkov (Chainguard)Fri 13 Mar 2026 2:20PM
@Tomas Mraz @Neil Horman @Matt Caswell @Paul Dale @Paul Dale @Anton Arapov @Anton Arapov please cherrypick fixes for https://openssl-library.org/news/secadv/20260313.txt on top of 3.6.1 and 3.5.5 to create 3.6.1.1 and 3.5.5.1 with fix for CVE-2026-2673 alone. And push that as tag alone without any other release details. Please update the security advisory to state that things are fixed in 3.6.1.1 and 3.5.5.1 otherwise all scanners will start telling people they are vulnerable and must upgrade to the non-existent 3.5.6 and 3.6.2 in about 24h over the weekend. Please never announce CVEs on a Friday.
Tomas MrazFri 13 Mar 2026 2:38PM
@Dimitri John Ledkov (Chainguard) I am sorry but no, we are not going to cherry-pick these fixes and create these .1 releases. This is a Low, mostly informational type of advisory.
Randall BeckerThu 9 Apr 2026 10:47PM
Putting my release manager hat on, I think we are conflating two issues, perhaps. The merging into 3.5.0.1 naming style is separate from whether the CVE has a git tag associated with it. Since git does not allow a tag to be on multiple commits, nor is likely to any time soon, we need a tag naming structure, more than how cherry-picks are done, in my opinion. A tag like CVE-2026-2673 may be sufficient on main, it would need some qualification for other releases, something like CVE-2026-2673.3.5 (assuming the CVE only happens once in 3.5.x), applied after the Pull Request is merged. This could be automated in GitHub Actions if we enforce an internal tag like
CVE-Fixes: CVE-2026-2673
in the PR commit.
I think keeping the tagging separate from release numbering would allow us to migrate to this approach on existing release branches.
Nicola TuveriFri 10 Apr 2026 5:03AM
@Randall Becker I do like the trailer solution, and I am glad if it somehow can be leveraged by the GitHub automations.
I just want to make a point to strive for a git-solution not a GitHub-solution: the handling of security issues and resolutions must be accessible beyond GitHub specific features to service all our users!
Randall BeckerFri 10 Apr 2026 1:19PM
@Nicola Tuveri I agree. The git tag solution with a suffix is not GitHub specific. There is enough integration with GitHub for automation that I do not see the automatic adding of tags as a big change or restrictive beyond what already is present, like code style checking.
Shane LontisFri 10 Apr 2026 12:09AM
If the problem is that OpenSSL currently makes low severity CVE's PUBLICLY VISIBLE before a release happens, the solution is to not make any CVE's public before a release, especially if there is any possibility that there is a difference between what classification OpenSSL may chose and what classification a governing body chooses.
Nicola TuveriFri 10 Apr 2026 4:59AM
CVE databases in various scanners have to either declare that there is no known version of software that contains the fix. Or they have to declare a next/future/non-existent version as the one containing the fix. This can cause issues as users demand upgrades to OpenSSL of a version that does not exist.
Isn’t that something to demand a fix for in the scanners though? They seem to be failing to account in their DBs that a CVE might be fixed in a future release and some of them spread false information (e.g. pointing to a release that does not exist yet).
I am positively inclined to using a trailer in git commit messages, to mark the commits that address specific CVEs, but a lot of the rest sounds like overengineering a solution because we are trying to fix the real problem in the wrong place!
Sasha NedvedickyFri 10 Apr 2026 7:05AM
@Nicola Tuveri
I think OpenSSL is using that already for commits which fix issue with CVE-ID
commit 9efd7e9e98a98aaade8121bac8f1e53208c3af33
Author: Viktor Dukhovni <[email protected]>
Date: Sun Feb 15 22:50:09 2026 +1100
Fix group tuple handling in DEFAULT expansion
Also fine-tune docs and add tests.
Fixes: #30109
Fixes: CVE-2026-2673
Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
MergeDate: Wed Feb 25 11:08:03 2026
(Merged from https://github.com/openssl/openssl/pull/30113)
it can be further imporved as Randall suggests to use `Fixes-CVE:` to avoid overloading of `Fixes:` keyword.
Tomas Mraz ·Tue 14 Oct 2025 12:45PM
We will consider handling Low severity fixes in the same way as the Moderate severity ones. I believe this should resolve the problem.