Skip to content

Security Report: OpenSSL on Intel 64 bit (future release) #117

New issue
New issue
Open
Open
Security Report: OpenSSL on Intel 64 bit (future release)#117
Assignees
adamfowleruk
Labels
enhancementNew feature or requestverifyNew bug report that has not yet been verified
Milestone
Unscheduled
@adamfowleruk

Description

@adamfowleruk
adamfowleruk
opened on Jul 6, 2022

Describe the security concern

OpenSSL v3 has an issue on 64bit Intel environments (not currently a target runtime for Herald for C++). We need to ensure we're using a version that is patched (no releases currently are) before we release support for Intel 64bit as a target (non-development) runtime.

Severity (Project team may edit this section after reporting)

Severe on Intel 64 bit (currently not a supported target environment, only for dev).

https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/

We're currently not using these algorithms in Herald. We only use SHA256 (and only as one of many options) and only on non-Intel platforms as a target environment. (Currently we use Intel 64bit as a test environment for automated CI only. This may change in a future release - E.g. if we choose to support Linux PinePhone / desktop.).

Describe the potential solution you'd like

Adopt a fixed release of openssl 3.x when available (it's not currently)

Describe alternatives you've considered

Documenting only (as its not currently a target runtime environment).

Additional context

Add any other context about the problem here.

NONE

Notification

DO NOT MODIFY THE BELOW - it will alert the maintainers once you submit your report.

@theheraldproject/committers

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestverifyNew bug report that has not yet been verified

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions