public inbox for cygwin-apps@cygwin.com
 help / color / mirror / Atom feed
* Re: OpenSSL Package Upgrade to 1.1.1L
       [not found] <VI1PR06MB5918473FFC0A05EAD0002798F2CD9@VI1PR06MB5918.eurprd06.prod.outlook.com>
@ 2021-09-01 21:40 ` Brian Inglis
  0 siblings, 0 replies; only message in thread
From: Brian Inglis @ 2021-09-01 21:40 UTC (permalink / raw)
  To: cygwin-apps; +Cc: Jonathan McNickle

On 2021-09-01 08:08, Jonathan McNickle wrote:
> I was wondering if plans were in place to update OpenSSL to version 1.1.1l to fix the latest high sev security issue?
> https://www.openssl.org/news/secadv/20210824.txt

[redirected from patches (Cygwin DLL etc.) to apps (Packages)]

SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High is 
probably not a huge concern, as not SM2 is not a commonly specified 
cipher suite, except possibly in China; although the Read buffer 
overruns processing ASN.1 strings (CVE-2021-3712) Severity: Moderate is 
fairly serious, as OpenSSL assumes some ASN1 strings with given length 
are also nul terminated when they need not be, allowing DoS and 
disclosures.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-09-01 21:40 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <VI1PR06MB5918473FFC0A05EAD0002798F2CD9@VI1PR06MB5918.eurprd06.prod.outlook.com>
2021-09-01 21:40 ` OpenSSL Package Upgrade to 1.1.1L Brian Inglis

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).