-
Licaon_Kter
PSA maybe? No? https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/
-
Zash
I imagine not many have upgraded to OpenSSL 3.x just yet, but probably worth double checking.
-
Zash
If it's a security issue, why is it reported on a random blog before a fix is released?
-
Menel
He wonders why nobody is talking about it.. But didn't consider it is *because* the fix wasn't released yet 😀.
-
Ray22
Based on my reading, he reports an initial issue to BoringSSL late May, Google confirms there's a bug but says it's no security risk. However, in fixing that bug a new bug is introduced (bits vs bytes) which is a security issue. That bug is fixed June 22, and he writes his blog post 5 days later probably because (IMO) the bug was openly discussed as a possible critical issue and OpenSSL hadn't released a new version [1]. [1] https://github.com/openssl/openssl/issues/18625