If emerging openssl-3.0.7-r2 is intended to obsolete vulnerable lesser versions, portage does not appear to be updating to openssl-3.0.7-r2 and also satisfying the specific dependency requirements for other packages. Reproducible: Always Steps to Reproduce: 1.sudo emerge -a =dev-libs/openssl-3.0.7-r2 2.emerge completes if dev-libs/openssl-1.1.1s first unemerged 3.emerge of dev-libs/openssl-3.0.7-r2 does not appear to satisfy specific dev-libs/openssl-1.1.1s dependencies of other packages. Actual Results: sudo emerge -avuDN --ask --keep-going world emerge of dev-libs/openssl-3.0.7-r2 does not replace dev-libs/openssl-1.1.1s package dependencies even when dev-libs/openssl-1.1.1s is uninstalled and masked to prevent reinstallation. !!! All ebuilds that could satisfy "=dev-libs/openssl-1.1*:0=" have been masked. !!! One of the following masked packages is required to complete your request: - dev-libs/openssl-1.1.1s::gentoo (masked by: package.mask) /etc/portage/package.mask: Expected Results: Expectation that openssl-3.0.7-r2 was issued to obsolete vulnerable lesser versions, and eliminate the package dependencies for lesser versions. Pursuant to the recently published vulnerabilities in openssl, a new version, dev-libs/openssl-3.0.7-r2, appeared in the proposed package emerge, albeit with many conflicting installed package dependencies continuing to require dev-libs/openssl-1.1.1s. ^^^^^^^ examples: (dev-libs/openssl-3.0.7-r2:0/3::gentoo, ebuild scheduled for merge) USE="asm vanilla -fips -ktls -rfc3779 -sctp -static-libs -test -tls-compression -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" conflicts with dev-libs/openssl:0/1.1=[abi_x86_64(-)] required by (app-arch/xar-1.8.0.0.487.100.1:0/0::gentoo, installed) USE="" ABI_X86="(64) -32 (-x32)" >=dev-libs/openssl-1.0.2k:0/1.1= required by (net-wireless/wpa_supplicant-2.10-r1-1:0/0::gentoo, installed) USE="crda dbus fils hs2-0 mbo mesh qt5 readline -ap -broadcom-sta -eap-sim -eapol-test -fasteap -macsec -p2p -privsep (-ps3) (-selinux) -smartcard -tdls -tkip -uncommon-eap-types -wep (-wimax) -wps" ABI_X86="(64)" >=dev-libs/openssl-1.1.1:0/1.1= required by (dev-lang/python-3.10.9:3.10/3.10::gentoo, installed) USE="build ensurepip gdbm ncurses readline sqlite ssl xml -bluetooth -examples -hardened -libedit -lto -pgo -test -tk -valgrind -verify-sig" ABI_X86="(64)" ^^^^^^^ If dev-libs/openssl-3.0.7-r2 is meant to replace lesser versioned openssl, including a vulnerable dev-libs/openssl-1.1.1s, it does not appear to emerge and eliminate the requirement for dev-libs/openssl-1.1.1s. Uninstalling dev-libs/openssl-1.1.1s and emerging dev-libs/openssl-3.0.7-r2 does not appear to force rebuilds for openssl-1.1.1s dependent packages. Masking openssl <=dev-libs/openssl-3.0.7 does not resolve the issue: !!! All ebuilds that could satisfy "=dev-libs/openssl-1.1*:0=" have been masked. !!! One of the following masked packages is required to complete your request: - dev-libs/openssl-1.1.1s::gentoo masked by: package.mask) /etc/portage/package.mask: ^^^^^^^ At one point it appears to me that portage was proposing to install both openssl versions: sudo emerge @preserved-rebuild [ebuild rR ] dev-libs/openssl-1.1.1s:0/1.1::gentoo USE="asm vanilla -rfc3779 -sctp -sslv3 -static-libs -test -tls-compression -tls-heartbeat -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 9,638 KiB [ebuild r U ] dev-libs/openssl-3.0.7-r1:0/3::gentoo [1.1.1s:0/1.1::gentoo] USE="asm vanilla -fips% -ktls% -rfc3779 -sctp -static-libs -test -tls-compression -verify-sig -weak-ssl-ciphers (-sslv3%) (-tls-heartbeat%)" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 14,754 KiB ^^^^^^^ And here complaining of a slot conflict: sudo emerge -a =dev-libs/openssl-3.0.7-r2 These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild r U ] dev-libs/openssl-3.0.7-r2 [1.1.1s] USE="-fips% -ktls%" [ebuild rR ] sys-apps/coreutils-9.1-r2 [ebuild rR ] net-misc/rsync-3.2.7-r1 [ebuild rR ] dev-libs/libevent-2.1.12 [ebuild rR ] dev-perl/Net-SSLeay-1.920.0 [ebuild rR ] sys-fs/diskdev_cmds-332.14_p1-r4 [ebuild rR ] dev-lang/python-3.10.9 [ebuild rR ] net-misc/curl-7.87.0 [ebuild rR ] sys-fs/cryptsetup-2.4.3-r2 [ebuild rR ] sys-apps/systemd-252.4 [ebuild rR ] net-misc/wget-1.21.3-r1 [ebuild rR ] dev-lang/python-3.9.16 [ebuild rR ] app-crypt/rhash-1.4.3 [ebuild rR ] app-arch/xar-1.8.0.0.487.100.1 [ebuild rR ] media-libs/opusfile-0.12-r1 [ebuild rR ] net-libs/neon-0.32.4 [ebuild rR ] app-arch/libarchive-3.6.1-r1 [ebuild rR ] net-vpn/tor-0.4.7.12 [ebuild rR ] net-misc/openssh-9.1_p1-r1 [ebuild rR ] dev-lang/ruby-3.1.3 [ebuild rR ] dev-python/m2crypto-0.38.0 [ebuild rR ] net-wireless/crda-4.14 [ebuild rR ] dev-python/cryptography-38.0.4 [ebuild rR ] app-crypt/mit-krb5-1.20.1 [ebuild rR ] app-editors/xemacs-21.5.34-r13 [ebuild rR ] app-admin/sudo-1.9.12_p1 [ebuild rR ] app-text/qpdf-11.2.0-r1 [ebuild rR ] net-libs/libtorrent-rasterbar-1.2.18 [ebuild rR ] net-libs/libssh-0.10.4 [ebuild r U ] net-libs/libtorrent-rasterbar-2.0.8 [1.2.18] USE="-gnutls%" PYTHON_SINGLE_TARGET="-python3_11%" [ebuild rR ] net-wireless/wpa_supplicant-2.10-r1 [ebuild rR ] dev-vcs/git-2.39.0 [ebuild rR ] app-portage/portage-utils-0.94.4 [ebuild rR ] net-dialup/ppp-2.4.9-r8 [ebuild rR ] dev-qt/qtnetwork-5.15.7 [ebuild rR ] net-p2p/qbittorrent-4.4.5-r2 [ebuild rR ] media-sound/pulseaudio-daemon-16.1-r6 !!! Multiple package instances within a single package slot have been pulled !!! into the dependency graph, resulting in a slot conflict: dev-libs/openssl:0 (dev-libs/openssl-3.0.7-r2:0/3::gentoo, ebuild scheduled for merge) USE="asm vanilla -fips -ktls -rfc3779 -sctp -static-libs -test -tls-compression -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" pulled in by =dev-libs/openssl-3.0.7-r2 (Argument) (dev-libs/openssl-1.1.1s:0/1.1::gentoo, installed) USE="asm vanilla -rfc3779 -sctp -sslv3 -static-libs -test -tls-compression -tls-heartbeat -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" pulled in by dev-libs/openssl:0/1.1= required by (www-client/w3m-0.5.3_p20220429-r1:0/0::gentoo, installed) USE="X fbcon nls ssl unicode -gdk-pixbuf -gpm -imlib -lynxkeymap -nntp -xface" ABI_X86="(64)" L10N="-ja" The following packages are causing rebuilds: (dev-libs/openssl-3.0.7-r2:0/3::gentoo, ebuild scheduled for merge) causes rebuilds for: (net-misc/wget-1.21.3-r1:0/0::gentoo, ebuild scheduled for merge) (net-vpn/tor-0.4.7.12:0/0::gentoo, ebuild scheduled for merge) (media-sound/pulseaudio-daemon-16.1-r6:0/0::gentoo, ebuild scheduled for merge) (net-libs/libssh-0.10.4:0/4::gentoo, ebuild scheduled for merge) (net-wireless/wpa_supplicant-2.10-r1:0/0::gentoo, ebuild scheduled for merge) (dev-libs/libevent-2.1.12:0/2.1-7::gentoo, ebuild scheduled for merge) (sys-fs/cryptsetup-2.4.3-r2:0/12::gentoo, ebuild scheduled for merge) (sys-fs/diskdev_cmds-332.14_p1-r4:0/0::gentoo, ebuild scheduled for merge) (net-misc/openssh-9.1_p1-r1:0/0::gentoo, ebuild scheduled for merge) (app-text/qpdf-11.2.0-r1:0/11::gentoo, ebuild scheduled for merge) (net-wireless/crda-4.14:0/0::gentoo, ebuild scheduled for merge) (app-arch/libarchive-3.6.1-r1:0/13::gentoo, ebuild scheduled for merge) (net-libs/libtorrent-rasterbar-1.2.18:0/10::gentoo, ebuild scheduled for merge) (dev-lang/python-3.10.9:3.10/3.10::gentoo, ebuild scheduled for merge) (dev-qt/qtnetwork-5.15.7:5/5.15::gentoo, ebuild scheduled for merge) (sys-apps/coreutils-9.1-r2:0/0::gentoo, ebuild scheduled for merge) (app-arch/xar-1.8.0.0.487.100.1:0/0::gentoo, ebuild scheduled for merge) (dev-vcs/git-2.39.0:0/0::gentoo, ebuild scheduled for merge) (dev-python/m2crypto-0.38.0:0/0::gentoo, ebuild scheduled for merge) (net-misc/rsync-3.2.7-r1:0/0::gentoo, ebuild scheduled for merge) (app-crypt/rhash-1.4.3:0/0::gentoo, ebuild scheduled for merge) (dev-python/cryptography-38.0.4:0/0::gentoo, ebuild scheduled for merge) (dev-lang/python-3.9.16:3.9/3.9::gentoo, ebuild scheduled for merge) (net-libs/neon-0.32.4:0/27::gentoo, ebuild scheduled for merge) (media-libs/opusfile-0.12-r1:0/0::gentoo, ebuild scheduled for merge) (net-p2p/qbittorrent-4.4.5-r2:0/0::gentoo, ebuild scheduled for merge) (dev-lang/ruby-3.1.3:3.1/3.1::gentoo, ebuild scheduled for merge) (app-admin/sudo-1.9.12_p1:0/0::gentoo, ebuild scheduled for merge) (net-misc/curl-7.87.0:0/0::gentoo, ebuild scheduled for merge) (net-dialup/ppp-2.4.9-r8:0/2.4.9::gentoo, ebuild scheduled for merge) (dev-perl/Net-SSLeay-1.920.0:0/0::gentoo, ebuild scheduled for merge) (app-portage/portage-utils-0.94.4:0/0::gentoo, ebuild scheduled for merge) (sys-apps/systemd-252.4:0/2::gentoo, ebuild scheduled for merge) (app-editors/xemacs-21.5.34-r13:0/0::gentoo, ebuild scheduled for merge) (app-crypt/mit-krb5-1.20.1:0/0::gentoo, ebuild scheduled for merge) !!! The following installed packages are masked: - dev-libs/openssl-1.1.1s::gentoo (masked by: package.mask) ^^^^^^^ After unemerging openssl-1.1.1s and installing dev-libs/openssl-3.0.7-r2: sudo emerge --info openssl dev-libs/openssl-3.0.7-r2::gentoo was built with the following: USE="asm vanilla -fips -ktls -rfc3779 -sctp -static-libs -test -tls-compression -verify-sig -weak-ssl-ciphers" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" CFLAGS="-march=native -O2 -pipe -fno-strict-aliasing -Wa,--noexecstack" CXXFLAGS="-march=native -O2 -pipe -fno-strict-aliasing -Wa,--noexecstack" FEATURES="binpkg-docompress distlocks config-protect-if-modified unmerge-orphans ipc-sandbox unknown-features-warn qa-unresolved-soname-deps ebuild-locks usersync userpriv assume-digests multilib-strict sandbox fixlafiles sfperms news binpkg-logs pid-sandbox protect-owned binpkg-dostrip parallel-fetch nodoc strict network-sandbox xattr usersandbox preserve-libs merge-sync buildpkg-live unmerge-logs binpkg-multi-instance candy" sudo emerge -avuDN --ask --keep-going world Still calling for "=dev-libs/openssl-1.1*:0=" !!! All ebuilds that could satisfy "=dev-libs/openssl-1.1*:0=" have been masked. !!! One of the following masked packages is required to complete your request: - dev-libs/openssl-1.1.1s::gentoo (masked by: package.mask) /etc/portage/package.mask: ^^^^^^^ If emerging openssl-3.0.7-r2 is intended to obsolete vulnerable lesser versions, portage does not appear to be updating to openssl-3.0.7-r2 and also eliminating the requirement for lesser versions.
1.1.1s is not vulnerable, it's currently still supported and getting new releases whenever there's issues (it's also the current stable version still). If you remove masks and attempt a normal world upgrade, e.g. emerge -uUDav @world, it may either successfully upgrade to 3 or there may be a "WARNING:" telling you why it can't be upgraded yet (it's possible you still have a package installed that hasn't been ported to openssl-3 yet and prevent upgrading for now).