On 2021-09-01 08:08, Jonathan McNickle wrote:
I was wondering if plans were in place to update OpenSSL to version 1.1.1l to
fix the latest high sev security issue?
https://www.openssl.org/news/secadv/20210824.txt
[redirected from patches (Cygwin DLL etc.) to apps (Packages)]
SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High is
probably not a huge concern, as not SM2 is not a commonly specified
cipher suite, except possibly in China; although the Read buffer
overruns processing ASN.1 strings (CVE-2021-3712) Severity: Moderate is
fairly serious, as OpenSSL assumes some ASN1 strings with given length
are also nul terminated when they need not be, allowing DoS and
disclosures.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]