diff --git a/salt/common/packages.sls b/salt/common/packages.sls
index a4a32f15f..0bf8616be 100644
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -47,6 +47,8 @@ python-rich:
 
 {% if GLOBALS.os_family == 'RedHat' %}
 
+# holding these since openssl-devel-1:3.0.7-16.0.1.el9_2 seems to be a requirement for mariadb-devel-3:10.5.16-2.el9_0
+# https://github.com/Security-Onion-Solutions/securityonion/discussions/11443
 holdversion_openssl:
   pkg.held:
     - name: openssl
diff --git a/setup/so-functions b/setup/so-functions
index 679142e2a..26e1b2dab 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2443,7 +2443,8 @@ update_sudoers_for_testing() {
 update_packages() {
 	if [[ $is_oracle ]]; then
 		logCmd "dnf repolist"
-		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
+		# holding openssl https://github.com/Security-Onion-Solutions/securityonion/discussions/11443
+		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*,openssl*"
 		RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
 		info "Removing repo files added by oracle-repos package update"
 		for FILE in ${RMREPOFILES[@]}; do