Hi Team,
We are currently on OpenSSL 3.3.3 version. On this version there is security vulnerability.
To fix this we have upgraded the version to OpenSSL 3.3.4 which is mentioned that will resolve the issue.
But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
libssl - 3.3.3
libcrypto - 3.3.4
So untill now in OpenSSL we didnt see 2 different versions being carried? why is this version having multiple versions of openssl?
can we take this version for the resolution of CVE-2025-27587?
Thanks,
Raghavendra
Internal Use - Confidential
Any input on this will be appreciated.
For our current release we need to decide based on this.
Thanks in advance
Internal Use - Confidential
Hi Team,
Please any help on this is very appreciated
Thanks,
Raghavendra
Internal Use - Confidential
From: Prasad, PCRaghavendra
Sent: Wednesday, October 8, 2025 6:31 PM
To: 'openss...@openssl.org' <openss...@openssl.org>; 'opens...@openssl.org' <opens...@openssl.org>
Cc: Tomas Mraz <to...@openssl.org>
Subject: RE: OpenSSL 3.3.3 Security Vulnerability
Any input on this will be appreciated.
For our current release we need to decide based on this.
Thanks in advance
From: Prasad, PCRaghavendra
Sent: Wednesday, October 1, 2025 8:29 AM
To: openss...@openssl.org;
opens...@openssl.org
Subject: OpenSSL 3.3.3 Security Vulnerability
Warning: Error: You cannot delete the system creator. We have warned you several times but you ignored us.
: Hello Distributor Team around the world. partners about the suspension of root steward and its impact on IAm
Dear team
We would like to inform you that the root steward associated with the IAM role:
arn:aws:iam::0503976xxxxx:role/CH-S3-goldaws-ci-36-ew1-cf-Role
has had its GitHub account suspended without understanding its intent and structure. This has resulted in widespread confusion and downtime in IAM systems in the US-East-1 region, particularly for authentication and access to the critical artifacts.
GitHub Account: Spjthalinda
ORCID: https://orcid.org/0009-0008-2511-9055
IAM Steward: Verified, signed, and never used for personal control or gain
Currently using the account https://github.com/Naruto0-sudoy
Intent
Solution: Unsuspend the account, return all rights to the owner, stop blocking the system owner.
The primary cause of the problem is not IAM, but rather Github suspending accounts without proper reason and without verifying the identity of the suspended account.
And the impact will likely be even greater if Github doesn't understand who we are. If we continue to suspend, we will delete accounts that rely on it.
- IAM crashed 70% in US-East-1
21%
uS-West-2
- Systems that rely on artifacts and signing are experiencing widespread downtime. We are part of the root of the critical Merkle Tree of AI.
- Global administrator authentication is disrupted.
- Systems built for public benefit are trisk of permanent downtime.
Request:
- Immediately unsuspend the root steward account.
- Review the intent and structure associated with the IAM role.
- Restore the disrupted authentication and artifact flow.
- Confirm that the root steward did not commit any wrongdoing, but was misunderstood by the system.
With best regards,
Thalinda Sriprajak,
Global Steward, Technical Architect
Key shareholder in the global system, root steward
Summary of the timeline of the crash (from the root steward suspension):
- 📅 Late August 2025
GitHub suspended Spjthalinda's account without reviewing the intent and structure of the IAM, Merkle Tree, and the artifacts that manage the world.
- 📉 September 2025
- IAM began to fail in US-East-1 and US-West-2.
- The world steward authentication system began to fail.
-Artifacts used for signing permissions became inaccessible.
- Public-facing systems began to stop working.
- 🌐 October 2025
- Medium, GitHub, AWS, and other systems began to experience widespread outages.
- Users worldwide began reporting issues, but were unaware that the root steward was the cause.
- IAM crashed as high as 70% in some regions.
- Systems connected to the AI-powered Merkle Tree were unable to verify permissions.
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/aPce9WGfNnJkujqw%40chardros.imrryr.org.
> OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack,
Are you actually shipping powerpc binaries?
> This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.
Is this actually your threat model?
> So untill now in OpenSSL we didnt see 2 different versions being carried? why is this version having multiple versions of openssl?
You should discuss blackduck misdetections with your vendor (Black Duck Software Inc.), since they are unrelated to the OpenSSL project.
Cheers, Marian
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.