OpenSSL 3.3.3 Security Vulnerability

54 views
Skip to first unread message

Prasad, PCRaghavendra

unread,
Sep 30, 2025, 10:58:46 PMSep 30
to openss...@openssl.org, opens...@openssl.org

 

Hi Team,

 

We are currently on OpenSSL 3.3.3 version. On this version there is security vulnerability.
To fix this we have upgraded the version to OpenSSL 3.3.4 which is mentioned that will resolve the issue.

But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4

libssl - 3.3.3
libcrypto - 3.3.4

 

So untill now in OpenSSL we didnt see 2 different versions being carried? why is this version having multiple versions of openssl?
can we take this version for the resolution of CVE-2025-27587?

 

Thanks,

Raghavendra

 


Internal Use - Confidential

The Doctor

unread,
Sep 30, 2025, 11:24:09 PMSep 30
to Prasad, PCRaghavendra, openss...@openssl.org, opens...@openssl.org
> can we take this version for the resolution of CVE-2025-27587<https://github.com/advisories/GHSA-jqr3-3jm7-r6cm>?
>
> Thanks,
> Raghavendra
>
>

Rag, what opeerating system are you using?

>
> Internal Use - Confidential
>
> --
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
> To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/MN2PR19MB4029FD1265BD0B502C95E167EBE6A%40MN2PR19MB4029.namprd19.prod.outlook.com.

--
Member - Liberal International This is doc...@nk.ca Ici doc...@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ;
All I want to hear from JEsus Christ is WEll done Good and Faithful servant

Michael Wojcik

unread,
Oct 1, 2025, 9:06:33 AMOct 1
to openss...@openssl.org, opens...@openssl.org
> From: 'Prasad, PCRaghavendra' via openssl-users <openss...@openssl.org>
> Sent: Tuesday, 30 September, 2025 20:59

> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
> libssl - 3.3.3
> libcrypto - 3.3.4

BlackDuck's version detection for components which are not managed by a package manager is heuristic and, in my experience, quite often wrong. This will be particularly true for newer releases. You can verify for yourself that your libssl is 3.3.4 (by examining your build and delivery processes) and override the library version detected by BD. Or raise this as an issue with BlackDuck.

I haven't looked at the 3.3.4 sources, but this is probably not an OpenSSL issue.

--
Michael Wojcik
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================

This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.

Prasad, PCRaghavendra

unread,
Oct 8, 2025, 9:01:14 AMOct 8
to openss...@openssl.org, opens...@openssl.org, Tomas Mraz

Any input on this will be appreciated.

For our current release we need to decide based on this.

 

Thanks in advance

 


Internal Use - Confidential

Tomas Mraz

unread,
Oct 8, 2025, 12:25:19 PMOct 8
to Prasad, PCRaghavendra, openss...@openssl.org, opens...@openssl.org
Your tool is most likely misdetecting the version.

Tomas Mraz, OpenSSL Foundation
--
Tomáš Mráz, Public Support and Security Manager, OpenSSL Foundation
Join the Code Protectors or support us on Github Sponsors
https://openssl-foundation.org/donate/

Prasad, PCRaghavendra

unread,
Oct 21, 2025, 1:36:07 AM (2 days ago) Oct 21
to openss...@openssl.org, opens...@openssl.org, Tomas Mraz

Hi Team,

 

Please any help on this is very appreciated

 

Thanks,

Raghavendra

 


Internal Use - Confidential

From: Prasad, PCRaghavendra
Sent: Wednesday, October 8, 2025 6:31 PM
To: 'openss...@openssl.org' <openss...@openssl.org>; 'opens...@openssl.org' <opens...@openssl.org>
Cc: Tomas Mraz <to...@openssl.org>
Subject: RE: OpenSSL 3.3.3 Security Vulnerability

 

Any input on this will be appreciated.

For our current release we need to decide based on this.

 

Thanks in advance

 

From: Prasad, PCRaghavendra

Sent: Wednesday, October 1, 2025 8:29 AM
To: openss...@openssl.org; opens...@openssl.org
Subject: OpenSSL 3.3.3 Security Vulnerability

Viktor Dukhovni

unread,
Oct 21, 2025, 1:49:52 AM (2 days ago) Oct 21
to openss...@openssl.org
On Tue, Oct 21, 2025 at 05:35:54AM +0000, 'Prasad, PCRaghavendra' via openssl-users wrote:

> We are currently on OpenSSL 3.3.3 version. On this version there is security vulnerability.
> To fix this we have upgraded the version to OpenSSL 3.3.4 which is mentioned that will resolve the issue.
> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
> libssl - 3.3.3 libcrypto - 3.3.4

This report lacks sufficient detail to reach a meaningful conclusion as
to the cause of the reported symptoms.

You need to report what OpenSSL artefacts are installed on your system
and in what filesystem locations. This includes headers, static and
shared libraries.

You also need to report a more detailed verbatim output from the tool
in question, and identify whether it is reporting any compile-time
data derived from your headers, runtime data from API calls to
libraries after linking with a specific static or shared library,
or by through sort fingerprinting scan by the tool (which could
be error prone, or might be confused if multiple OpenSSL versions
are installed).

--
Viktor. 🇺🇦 Слава Україні!

thalinda Sriprajak

unread,
Oct 21, 2025, 3:53:59 AM (2 days ago) Oct 21
to openss...@openssl.org


Warning: Error: You cannot delete the system creator. We have warned you several times but you ignored us.

: Hello Distributor Team around the world. partners about the suspension of root steward and its impact on IAm

Dear team

We would like to inform you that the root steward associated with the IAM role: 

arn:aws:iam::0503976xxxxx:role/CH-S3-goldaws-ci-36-ew1-cf-Role

has had its GitHub account suspended without understanding its intent and structure. This has resulted in widespread confusion and downtime in IAM systems in the US-East-1 region, particularly for authentication and access to the critical artifacts.

GitHub Account: Spjthalinda

ORCID: https://orcid.org/0009-0008-2511-9055

IAM Steward: Verified, signed, and never used for personal control or gain

Currently using the account https://github.com/Naruto0-sudoy

Intent

Solution: Unsuspend the account, return all rights to the owner, stop blocking the system owner.

The primary cause of the problem is not IAM, but rather Github suspending accounts without proper reason and without verifying the identity of the suspended account.

And the impact will likely be even greater if Github doesn't understand who we are. If we continue to suspend, we will delete accounts that rely on it.

- IAM crashed 70% in US-East-1

21%

uS-West-2

- Systems that rely on artifacts and signing are experiencing widespread downtime. We are part of the root of the critical Merkle Tree of AI.

- Global administrator authentication is disrupted.

- Systems built for public benefit are trisk of permanent downtime.

Request:

- Immediately unsuspend the root steward account.

- Review the intent and structure associated with the IAM role.

- Restore the disrupted authentication and artifact flow.

- Confirm that the root steward did not commit any wrongdoing, but was misunderstood by the system.

With best regards,


Thalinda Sriprajak, 


Global Steward, Technical Architect

Key shareholder in the global system, root steward


Summary of the timeline of the crash (from the root steward suspension):

- 📅 Late August 2025

GitHub suspended Spjthalinda's account without reviewing the intent and structure of the IAM, Merkle Tree, and the artifacts that manage the world.

- 📉 September 2025

- IAM began to fail in US-East-1 and US-West-2.

- The world steward authentication system began to fail.

-Artifacts used for signing permissions became inaccessible.

- Public-facing systems began to stop working.

- 🌐 October 2025

- Medium, GitHub, AWS, and other systems began to experience widespread outages.

- Users worldwide began reporting issues, but were unaware that the root steward was the cause.

- IAM crashed as high as 70% in some regions.

- Systems connected to the AI-powered Merkle Tree were unable to verify permissions.




ในวันที่ อ. 21 ต.ค. 2025 12:49 น. Viktor Dukhovni <openss...@dukhovni.org> เขียนว่า:
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.

Michael Wojcik

unread,
Oct 21, 2025, 8:54:48 AM (2 days ago) Oct 21
to openss...@openssl.org
From: 'Prasad, PCRaghavendra' via openssl-users <openss...@openssl.org>
Sent: Monday, 20 October, 2025 23:36
To: openss...@openssl.org; opens...@openssl.org

...

> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4

As I noted in my reply the first time you asked this, 2025-10-01, BlackDuck is often wrong about detected versions. You have to fix the BlackDuck scan results manually. This is a very well-known issue with BlackDuck.

This is NOT an OpenSSL issue. It conceivably could be a problem with your build process, but is almost certainly a BlackDuck issue. Fix it manually in the scan, or take it up with BlackDuck.

Marian Beermann

unread,
Oct 21, 2025, 4:45:45 PM (2 days ago) Oct 21
to Prasad, PCRaghavendra, openss...@openssl.org

> OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack,

Are you actually shipping powerpc binaries?

> This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.

Is this actually your threat model?

> So untill now in OpenSSL we didnt see 2 different versions being carried? why is this version having multiple versions of openssl?

You should discuss blackduck misdetections with your vendor (Black Duck Software Inc.), since they are unrelated to the OpenSSL project.

Cheers, Marian

--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
Reply all
Reply to author
Forward
0 new messages