diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 29484ad90249..bc8379795d0b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,16 +28,16 @@ jobs:
         PYTHON:
           - {VERSION: "3.10", TOXENV: "flake"}
           - {VERSION: "3.10", TOXENV: "rust"}
-          - {VERSION: "3.10", TOXENV: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.0.6"}}
+          - {VERSION: "3.10", TOXENV: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.0.5"}}
           - {VERSION: "pypy-3.7", TOXENV: "pypy3-nocoverage"}
           - {VERSION: "pypy-3.8", TOXENV: "pypy3-nocoverage"}
           - {VERSION: "pypy-3.9", TOXENV: "pypy3-nocoverage"}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1r"}}
-          - {VERSION: "3.10", TOXENV: "py310-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1r"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1r", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "3.0.6"}}
-          - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.0.6"}}
+          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}}
+          - {VERSION: "3.10", TOXENV: "py310-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}}
+          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}
+          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "3.0.5"}}
+          - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.0.5"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.2.7"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.3.6"}}
@@ -492,6 +492,23 @@ jobs:
       - run: pip install .
         env:
           CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }}
+      # cryptography main has a version of "(X+1).0.0.dev1" where X is the
+      # most recently released major version. A package used by a downstream
+      # may depend on cryptography <=X. If you use entrypoints stuff, this can
+      # lead to runtime errors due to version incompatibilities. Rename the
+      # dist-info directory to pretend to be an older version to "solve" this.
+      - run: |
+          import json
+          import pkg_resources
+          import shutil
+          import urllib.request
+          
+          d = pkg_resources.get_distribution("cryptography")
+          with urllib.request.urlopen("https://pypi.org/pypi/cryptography/json") as r:
+              latest_version = json.load(r)["info"]["version"]
+          new_path = d.egg_info.replace(d.version, latest_version)
+          shutil.move(d.egg_info, new_path)
+        shell: python
       - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run
 
   docs-linkcheck:
diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml
index ecabcb5529c1..5e07cdbca205 100644
--- a/.github/workflows/wheel-builder.yml
+++ b/.github/workflows/wheel-builder.yml
@@ -26,10 +26,10 @@ jobs:
       fail-fast: false
       matrix:
         PYTHON:
-          - { VERSION: "cp36-cp36m", PATH: "/opt/python/cp36-cp36m/bin/python", ABI_VERSION: 'cp36' }
-          - { VERSION: "pypy3.7", PATH: "/opt/pypy3.7/bin/pypy" }
-          - { VERSION: "pypy3.8", PATH: "/opt/pypy3.8/bin/pypy" }
-          - { VERSION: "pypy3.9", PATH: "/opt/pypy3.9/bin/pypy" }
+          - { VERSION: "cp36-cp36m", ABI_VERSION: 'cp36' }
+          - { VERSION: "pp37-pypy37_pp73" }
+          - { VERSION: "pp38-pypy38_pp73" }
+          - { VERSION: "pp39-pypy39_pp73" }
         MANYLINUX:
           - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64" }
           - { name: "manylinux_2_24_x86_64", CONTAINER: "cryptography-manylinux_2_24:x86_64"}
@@ -37,11 +37,11 @@ jobs:
           - { name: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64"}
         exclude:
           # There are no readily available musllinux PyPy distributions
-          - PYTHON: { VERSION: "pypy3.7", PATH: "/opt/pypy3.7/bin/pypy" }
+          - PYTHON: { VERSION: "pp37-pypy37_pp73" }
             MANYLINUX: { name: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64" }
-          - PYTHON: { VERSION: "pypy3.8", PATH: "/opt/pypy3.8/bin/pypy" }
+          - PYTHON: { VERSION: "pp38-pypy38_pp73" }
             MANYLINUX: { name: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64"}
-          - PYTHON: { VERSION: "pypy3.9", PATH: "/opt/pypy3.9/bin/pypy" }
+          - PYTHON: { VERSION: "pp39-pypy39_pp73" }
             MANYLINUX: { name: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64"}
     name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}"
     steps:
@@ -49,7 +49,7 @@ jobs:
         with:
           # The tag to build or the tag received by the tag event
           ref: ${{ github.event.inputs.version || github.ref }}
-      - run: ${{ matrix.PYTHON.PATH }} -m venv .venv
+      - run: /opt/python/${{ matrix.PYTHON.VERSION }}/bin/python -m venv .venv
       - name: Install Python dependencies
         run: .venv/bin/pip install -U pip wheel cffi setuptools-rust
       - name: Make sdist
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 7606ce745a95..9cd4c7e6cd40 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,11 +1,23 @@
 Changelog
 =========
 
+.. _v38-0-3:
+
+38.0.3 - 2022-11-01
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7,
+  which resolves *CVE-2022-3602* and *CVE-2022-3786*.
+
 .. _v38-0-2:
 
 38.0.2 - 2022-10-11
 ~~~~~~~~~~~~~~~~~~~
 
+.. attention::
+
+    This release was subsequently yanked from PyPI due to a regression in OpenSSL.
+
 * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.
 
 .. _v38-0-1:
diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py
index 1fe833a9c583..15425c916bf0 100644
--- a/src/cryptography/__about__.py
+++ b/src/cryptography/__about__.py
@@ -9,7 +9,7 @@
     "__copyright__",
 ]
 
-__version__ = "38.0.2"
+__version__ = "38.0.3"
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
 __copyright__ = "Copyright 2013-2022 {}".format(__author__)
diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py
index b95c0084f254..72ae92bc835c 100644
--- a/vectors/cryptography_vectors/__about__.py
+++ b/vectors/cryptography_vectors/__about__.py
@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "38.0.2"
+__version__ = "38.0.3"