Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Report: OpenSSL on Intel 64 bit (future release) #117

Open
adamfowleruk opened this issue Jul 6, 2022 · 0 comments
Open

Security Report: OpenSSL on Intel 64 bit (future release) #117

adamfowleruk opened this issue Jul 6, 2022 · 0 comments
Assignees
Labels
enhancement New feature or request verify New bug report that has not yet been verified
Milestone

Comments

@adamfowleruk
Copy link
Contributor

Describe the security concern

OpenSSL v3 has an issue on 64bit Intel environments (not currently a target runtime for Herald for C++). We need to ensure we're using a version that is patched (no releases currently are) before we release support for Intel 64bit as a target (non-development) runtime.

Severity (Project team may edit this section after reporting)

Severe on Intel 64 bit (currently not a supported target environment, only for dev).

https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/

We're currently not using these algorithms in Herald. We only use SHA256 (and only as one of many options) and only on non-Intel platforms as a target environment. (Currently we use Intel 64bit as a test environment for automated CI only. This may change in a future release - E.g. if we choose to support Linux PinePhone / desktop.).

Describe the potential solution you'd like

Adopt a fixed release of openssl 3.x when available (it's not currently)

Describe alternatives you've considered

Documenting only (as its not currently a target runtime environment).

Additional context

Add any other context about the problem here.

NONE

Notification

DO NOT MODIFY THE BELOW - it will alert the maintainers once you submit your report.

@theheraldproject/committers

@adamfowleruk adamfowleruk added enhancement New feature or request verify New bug report that has not yet been verified labels Jul 6, 2022
@adamfowleruk adamfowleruk self-assigned this Jul 6, 2022
@adamfowleruk adamfowleruk added this to the Unscheduled milestone Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request verify New bug report that has not yet been verified
Projects
None yet
Development

No branches or pull requests

1 participant