OpenSSL 3.3.3 Security Vulnerability

13 views
Skip to first unread message

Prasad, PCRaghavendra

unread,
Sep 30, 2025, 10:58:46 PM (2 days ago) Sep 30
to openss...@openssl.org, opens...@openssl.org

 

Hi Team,

 

We are currently on OpenSSL 3.3.3 version. On this version there is security vulnerability.
To fix this we have upgraded the version to OpenSSL 3.3.4 which is mentioned that will resolve the issue.

But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4

libssl - 3.3.3
libcrypto - 3.3.4

 

So untill now in OpenSSL we didnt see 2 different versions being carried? why is this version having multiple versions of openssl?
can we take this version for the resolution of CVE-2025-27587?

 

Thanks,

Raghavendra

 


Internal Use - Confidential

The Doctor

unread,
Sep 30, 2025, 11:24:09 PM (2 days ago) Sep 30
to Prasad, PCRaghavendra, openss...@openssl.org, opens...@openssl.org
> can we take this version for the resolution of CVE-2025-27587<https://github.com/advisories/GHSA-jqr3-3jm7-r6cm>?
>
> Thanks,
> Raghavendra
>
>

Rag, what opeerating system are you using?

>
> Internal Use - Confidential
>
> --
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
> To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/MN2PR19MB4029FD1265BD0B502C95E167EBE6A%40MN2PR19MB4029.namprd19.prod.outlook.com.

--
Member - Liberal International This is doc...@nk.ca Ici doc...@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ;
All I want to hear from JEsus Christ is WEll done Good and Faithful servant

Michael Wojcik

unread,
Oct 1, 2025, 9:06:33 AM (21 hours ago) Oct 1
to openss...@openssl.org, opens...@openssl.org
> From: 'Prasad, PCRaghavendra' via openssl-users <openss...@openssl.org>
> Sent: Tuesday, 30 September, 2025 20:59

> But in OpenSSL 3.3.4, our blackduck tool is showing two versions one is 3.3.3 and another is 3.3.4
> libssl - 3.3.3
> libcrypto - 3.3.4

BlackDuck's version detection for components which are not managed by a package manager is heuristic and, in my experience, quite often wrong. This will be particularly true for newer releases. You can verify for yourself that your libssl is 3.3.4 (by examining your build and delivery processes) and override the library version detected by BD. Or raise this as an issue with BlackDuck.

I haven't looked at the 3.3.4 sources, but this is probably not an OpenSSL issue.

--
Michael Wojcik
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================

This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.
Reply all
Reply to author
Forward
0 new messages