NetTalk Central

Author Topic: OpenSSL 3.0.0 vulnerability  (Read 5022 times)

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
OpenSSL 3.0.0 vulnerability
« on: November 01, 2022, 09:13:34 PM »
There's a fair amount of chatter going on about two OpenSSL vulnerabilities;

https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
https://www.bleepingcomputer.com/news/security/openssl-fixes-two-high-severity-vulnerabilities-what-you-need-to-know/
https://news.ycombinator.com/item?id=33422837

I'm posting this to let you know that NetTalk apps are not affected. We are currently on OpenSSL build 1.1.1.14, which predates these issues (which are version 3.0.0 specific.)

For non-NetTalk sites you also shouldn't panic - as per the second link above, only about 1.5% of OpenSSL deployments are on 3.x - 65% are like us on 1.1.1 and just over 30% are on an older version.

Incidentally the bugs have also been down-rated from Critical to High as the conditions under which they could be exploited are extremely narrow (and also wouldn't affect a typical NetTalk server.)

Cheers
Bruce