XMPP Service Operators - 2022-07-01

  1. Licaon_Kter

    PSA maybe? No? https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/

  2. Zash

    I imagine not many have upgraded to OpenSSL 3.x just yet, but probably worth double checking.

  3. Zash

    If it's a security issue, why is it reported on a random blog before a fix is released?

  4. Menel

    He wonders why nobody is talking about it.. But didn't consider it is *because* the fix wasn't released yet 😀.

  5. Ray22

    Based on my reading, he reports an initial issue to BoringSSL late May, Google confirms there's a bug but says it's no security risk. However, in fixing that bug a new bug is introduced (bits vs bytes) which is a security issue. That bug is fixed June 22, and he writes his blog post 5 days later probably because (IMO) the bug was openly discussed as a possible critical issue and OpenSSL hadn't released a new version [1]. [1] https://github.com/openssl/openssl/issues/18625