OpenSSL 1.1.1zd out of date in ARM distributions — 1.1.1ze required

[linuxkd]

Describe the bug

The AWS CLI v2 ARM (aarch64) Linux distribution bundles OpenSSL 1.1.1zd (libssl.so.1.1 / libcrypto.so.1.1 in /usr/local/aws-cli/v2/<version>/dist/). Multiple CVEs have been published that require OpenSSL 1.1.1ze:

• CVE-2026-22796 — Type confusion in PKCS#7 signature verification
• CVE-2026-22795 — NULL pointer dereference in PKCS#12 processing
• CVE-2025-69421 — NULL pointer dereference in PKCS#12 decryption
• CVE-2025-69420 — Type confusion in TimeStamp Response verification
• CVE-2025-69419 — Buffer write vulnerability in PKCS#12 handling

This is the same class of issue as #8987 and #8789.

Expected Behavior

Bundled OpenSSL in ARM distributions is updated to 1.1.1ze or later.

Current Behavior

CLI v2.33.6 (latest) bundles OpenSSL 1.1.1zd on aarch64 Linux. Vulnerability scanners (Tenable Nessus) flag the bundled library at /usr/local/aws-cli/v2/2.33.6/dist/libssl.so.1.1.

Reproduction Steps

# On aarch64 Linux with AWS CLI v2 installed:
grep -ao "OpenSSL 1\.[0-9.]\+[a-z]*" /usr/local/aws-cli/v2/current/dist/libssl.so.1.1
# Returns: OpenSSL 1.1.1zd

Additional Information/Context

The x86_64 distribution statically links OpenSSL so this only affects ARM builds. Previous issues tracking this pattern: #8987, #8789, #8485.

CLI version used

2.33.6

Environment details (OS name and version, etc.)

Ubuntu 24.04 LTS (aarch64), Ubuntu 22.04 LTS (aarch64)

[hssyoo]

CLI v2.33.6 (latest)

This is verifiably false. The latest version is 2.34.10, and the bundled OpenSSL version is 1.1.1zf:

$ /usr/local/bin/aws --version
aws-cli/2.34.10 Python/3.13.11 Linux/6.1.163-186.299.amzn2023.aarch64 exe/aarch64.amzn.2023

$ grep -ao "OpenSSL 1\.[0-9.]\+[a-z]*" /usr/local/aws-cli/v2/current/dist/libssl.so.1.1
OpenSSL 1.1.1zf

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.