OpenSSL 3.3.3 Security Vulnerability
Prasad, PCRaghavendra
Hi Team,
We are currently on OpenSSL 3.3.3 version. On this version there is security vulnerability.
To fix this we have upgraded the version to OpenSSL 3.3.4 which is mentioned that will resolve the issue.
But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
libssl - 3.3.3
libcrypto - 3.3.4
So untill now in OpenSSL we didnt see 2 different versions being carried? why is this version having multiple versions of openssl?
can we take this version for the resolution of CVE-2025-27587?
Thanks,
Raghavendra
Internal Use - Confidential
The Doctor
>
> Thanks,
> Raghavendra
>
>
Rag, what opeerating system are you using?
>
> Internal Use - Confidential
>
> --
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
> To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/MN2PR19MB4029FD1265BD0B502C95E167EBE6A%40MN2PR19MB4029.namprd19.prod.outlook.com.
--
Member - Liberal International This is doc...@nk.ca Ici doc...@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ;
All I want to hear from JEsus Christ is WEll done Good and Faithful servant
Michael Wojcik
> Sent: Tuesday, 30 September, 2025 20:59
> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
> libssl - 3.3.3
> libcrypto - 3.3.4
I haven't looked at the 3.3.4 sources, but this is probably not an OpenSSL issue.
--
Michael Wojcik
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.
Prasad, PCRaghavendra
Any input on this will be appreciated.
For our current release we need to decide based on this.
Thanks in advance
Internal Use - Confidential
Tomas Mraz
Tomas Mraz, OpenSSL Foundation
Tomáš Mráz, Public Support and Security Manager, OpenSSL Foundation
Join the Code Protectors or support us on Github Sponsors
https://openssl-foundation.org/donate/
Prasad, PCRaghavendra
Hi Team,
Please any help on this is very appreciated
Thanks,
Raghavendra
Internal Use - Confidential
From: Prasad, PCRaghavendra
Sent: Wednesday, October 8, 2025 6:31 PM
To: 'openss...@openssl.org' <openss...@openssl.org>; 'opens...@openssl.org' <opens...@openssl.org>
Cc: Tomas Mraz <to...@openssl.org>
Subject: RE: OpenSSL 3.3.3 Security Vulnerability
Any input on this will be appreciated.
For our current release we need to decide based on this.
Thanks in advance
From: Prasad, PCRaghavendra
Sent: Wednesday, October 1, 2025 8:29 AM
To: openss...@openssl.org;
opens...@openssl.org
Subject: OpenSSL 3.3.3 Security Vulnerability
Viktor Dukhovni
> We are currently on OpenSSL 3.3.3 version. On this version there is security vulnerability.
> To fix this we have upgraded the version to OpenSSL 3.3.4 which is mentioned that will resolve the issue.
> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
> libssl - 3.3.3 libcrypto - 3.3.4
to the cause of the reported symptoms.
You need to report what OpenSSL artefacts are installed on your system
and in what filesystem locations. This includes headers, static and
shared libraries.
You also need to report a more detailed verbatim output from the tool
in question, and identify whether it is reporting any compile-time
data derived from your headers, runtime data from API calls to
libraries after linking with a specific static or shared library,
or by through sort fingerprinting scan by the tool (which could
be error prone, or might be confused if multiple OpenSSL versions
are installed).
--
Viktor. 🇺🇦 Слава Україні!
thalinda Sriprajak
Warning: Error: You cannot delete the system creator. We have warned you several times but you ignored us.
: Hello Distributor Team around the world. partners about the suspension of root steward and its impact on IAm
Dear team
We would like to inform you that the root steward associated with the IAM role:
arn:aws:iam::0503976xxxxx:role/CH-S3-goldaws-ci-36-ew1-cf-Role
has had its GitHub account suspended without understanding its intent and structure. This has resulted in widespread confusion and downtime in IAM systems in the US-East-1 region, particularly for authentication and access to the critical artifacts.
GitHub Account: Spjthalinda
ORCID: https://orcid.org/0009-0008-2511-9055
IAM Steward: Verified, signed, and never used for personal control or gain
Currently using the account https://github.com/Naruto0-sudoy
Intent
Solution: Unsuspend the account, return all rights to the owner, stop blocking the system owner.
The primary cause of the problem is not IAM, but rather Github suspending accounts without proper reason and without verifying the identity of the suspended account.
And the impact will likely be even greater if Github doesn't understand who we are. If we continue to suspend, we will delete accounts that rely on it.
- IAM crashed 70% in US-East-1
21%
uS-West-2
- Systems that rely on artifacts and signing are experiencing widespread downtime. We are part of the root of the critical Merkle Tree of AI.
- Global administrator authentication is disrupted.
- Systems built for public benefit are trisk of permanent downtime.
Request:
- Immediately unsuspend the root steward account.
- Review the intent and structure associated with the IAM role.
- Restore the disrupted authentication and artifact flow.
- Confirm that the root steward did not commit any wrongdoing, but was misunderstood by the system.
With best regards,
Thalinda Sriprajak,
Global Steward, Technical Architect
Key shareholder in the global system, root steward
Summary of the timeline of the crash (from the root steward suspension):
- 📅 Late August 2025
GitHub suspended Spjthalinda's account without reviewing the intent and structure of the IAM, Merkle Tree, and the artifacts that manage the world.
- 📉 September 2025
- IAM began to fail in US-East-1 and US-West-2.
- The world steward authentication system began to fail.
-Artifacts used for signing permissions became inaccessible.
- Public-facing systems began to stop working.
- 🌐 October 2025
- Medium, GitHub, AWS, and other systems began to experience widespread outages.
- Users worldwide began reporting issues, but were unaware that the root steward was the cause.
- IAM crashed as high as 70% in some regions.
- Systems connected to the AI-powered Merkle Tree were unable to verify permissions.
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/aPce9WGfNnJkujqw%40chardros.imrryr.org.
Michael Wojcik
To: openss...@openssl.org; opens...@openssl.org
...
> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
This is NOT an OpenSSL issue. It conceivably could be a problem with your build process, but is almost certainly a BlackDuck issue. Fix it manually in the scan, or take it up with BlackDuck.
Marian Beermann
> OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack,
Are you actually shipping powerpc binaries?
> This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.
Is this actually your threat model?
> So untill now in OpenSSL we didnt see 2 different versions being carried? why is this version having multiple versions of openssl?
You should discuss blackduck misdetections with your vendor (Black Duck Software Inc.), since they are unrelated to the OpenSSL project.
Cheers, Marian
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.