No BoringSSL impact from OpenSSL security update, May 3rd, 2022

25 views
Skip to first unread message

Alyssa Wilk

unread,
May 5, 2022, 12:42:25 PM5/5/22
to cncf-envoy-distr...@lists.cncf.io, envoy-a...@googlegroups.com, envoy-secur...@googlegroups.com
TL;DR: Mainline Envoy builds use BoringSSL and are NOT affected.  Any custom builds using OpenSSL will have to do their own analysis.

OpenSSL CVE's:
CVE-2022-1292
CVE-2022-1343
CVE-2022-1434
CVE-2022-1273
are all based on code BoringSSL does not include.  BoringSSL is happily living up to its name :-)

best,

Alyssa, on behalf of Envoy Security Team.
Reply all
Reply to author
Forward
0 new messages