Hrm. OpenSSL 1.1.1 update today? From IRC:

No mention anywhere else yet?

Openssl will release new update on 2021/03/25, it will fix two "High" severity issues. These issues does not affect OpenSSL versions before 1.1.1:

CVE-2021-3449: NULL pointer deref in signature_algorithms processing

CVE-2021-3450: CA certificate check bypass with X509_V_FLAG_X509_STRICT"

(This looks like a somewhat botched advisory, and it's also not yet listed on their overview page. Wonder if they broke an embargo there?)


Ah, the OpenSSL 1.1.1 advisory for CVE-2021-3450 and CVE-2021-3449 is now out officially:

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!