Update OpenSSL used in binary releases per CVE-2023-0464

[gpshead]

https://nvd.nist.gov/vuln/detail/CVE-2023-0464

We need OpenSSL >= 1.1.1u | 3.0.9 | 3.1.1.

We've got patch releases coming up soon, we should be able to just bump the versions before then.

(note: at the time of this writing OpenSSL hasn't even released those updated versions)

Linked PRs

• gh-103142: Update error codes, multissltests, and CI workflows for OpenSSL 1.1.1u, 3.0.9, and 3.1.1. #105129
• gh-103142: Update macOS installer to use OpenSSL 1.1.1u. #105130
• [3.11] gh-103142: Update macOS installer to use OpenSSL 1.1.1u. (GH-105130) #105131
• [3.12] gh-103142: Update macOS installer to use OpenSSL 1.1.1u. (GH-105130) #105132
• gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u #105174
• [3.12] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) #105199
• [3.11] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174)  #105200
• [3.10] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) (GH-105200) #105204
• [3.9] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) (GH-105200) #105205
• [3.7] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u. #105308
• [3.8] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) (GH-105200) (GH-105205) #105370

[ambv]

We are still waiting on the upstream OpenSSL release as of today.

[gpshead]

https://www.openssl.org/ considers these low severity, so deferring this to not block releases could make sense. Otherwise we'd need to cherry pick a few patches and apply them as part of our build or pull a pre-release tarball from their source control, both of which sound annoying.

[JelleZijlstra]

From https://www.openssl.org/source/ it appears there's no 1.1.1u release yet. Is this still a blocker?

[gpshead]

wait until the day our releases are being built and bump it back to deferred if upstream openssl hasn't done releases.

[h-vetinari]

FYI: Their next release is planned to be in May.