OpenSSL 3.3.3 Security Vulnerability
Prasad, PCRaghavendra
Hi Team,
We are currently on OpenSSL 3.3.3 version. On this version there is security vulnerability.
To fix this we have upgraded the version to OpenSSL 3.3.4 which is mentioned that will resolve the issue.
But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
libssl - 3.3.3
libcrypto - 3.3.4
So untill now in OpenSSL we didnt see 2 different versions being carried? why is this version having multiple versions of openssl?
can we take this version for the resolution of CVE-2025-27587?
Thanks,
Raghavendra
Internal Use - Confidential
The Doctor
>
> Thanks,
> Raghavendra
>
>
Rag, what opeerating system are you using?
>
> Internal Use - Confidential
>
> --
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
> To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/MN2PR19MB4029FD1265BD0B502C95E167EBE6A%40MN2PR19MB4029.namprd19.prod.outlook.com.
--
Member - Liberal International This is doc...@nk.ca Ici doc...@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ;
All I want to hear from JEsus Christ is WEll done Good and Faithful servant
Michael Wojcik
> Sent: Tuesday, 30 September, 2025 20:59
> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
> libssl - 3.3.3
> libcrypto - 3.3.4
I haven't looked at the 3.3.4 sources, but this is probably not an OpenSSL issue.
--
Michael Wojcik
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.
Prasad, PCRaghavendra
Any input on this will be appreciated.
For our current release we need to decide based on this.
Thanks in advance
Internal Use - Confidential
Tomas Mraz
Tomas Mraz, OpenSSL Foundation
Tomáš Mráz, Public Support and Security Manager, OpenSSL Foundation
Join the Code Protectors or support us on Github Sponsors
https://openssl-foundation.org/donate/
Prasad, PCRaghavendra
Hi Team,
Please any help on this is very appreciated
Thanks,
Raghavendra
Internal Use - Confidential
From: Prasad, PCRaghavendra
Sent: Wednesday, October 8, 2025 6:31 PM
To: 'openss...@openssl.org' <openss...@openssl.org>; 'opens...@openssl.org' <opens...@openssl.org>
Cc: Tomas Mraz <to...@openssl.org>
Subject: RE: OpenSSL 3.3.3 Security Vulnerability
Any input on this will be appreciated.
For our current release we need to decide based on this.
Thanks in advance
From: Prasad, PCRaghavendra
Sent: Wednesday, October 1, 2025 8:29 AM
To: openss...@openssl.org;
opens...@openssl.org
Subject: OpenSSL 3.3.3 Security Vulnerability
Viktor Dukhovni
> We are currently on OpenSSL 3.3.3 version. On this version there is security vulnerability.
> To fix this we have upgraded the version to OpenSSL 3.3.4 which is mentioned that will resolve the issue.
> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
> libssl - 3.3.3 libcrypto - 3.3.4
to the cause of the reported symptoms.
You need to report what OpenSSL artefacts are installed on your system
and in what filesystem locations. This includes headers, static and
shared libraries.
You also need to report a more detailed verbatim output from the tool
in question, and identify whether it is reporting any compile-time
data derived from your headers, runtime data from API calls to
libraries after linking with a specific static or shared library,
or by through sort fingerprinting scan by the tool (which could
be error prone, or might be confused if multiple OpenSSL versions
are installed).
--
Viktor. 🇺🇦 Слава Україні!
Michael Wojcik
To: openss...@openssl.org; opens...@openssl.org
...
> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
This is NOT an OpenSSL issue. It conceivably could be a problem with your build process, but is almost certainly a BlackDuck issue. Fix it manually in the scan, or take it up with BlackDuck.
Marian Beermann
> OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack,
Are you actually shipping powerpc binaries?
> This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.
Is this actually your threat model?
> So untill now in OpenSSL we didnt see 2 different versions being carried? why is this version having multiple versions of openssl?
You should discuss blackduck misdetections with your vendor (Black Duck Software Inc.), since they are unrelated to the OpenSSL project.
Cheers, Marian
--