CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x security vulnerabilities

[Turritopsis Dohrnii Teo En Ming]

On Wed, 2 Nov 2022 at 18:38, Tomas Mraz <tomas at openssl.org> wrote:

> In general unless you've built and installed your own build of OpenSSL
> you need to refer to the vendor of your operating system for patches.
>
> In particular the openssl packages in CentOS 7.9 are not affected given
> they are 1.0.2 version and not 3.0.x version.
>

This is good news. I can sleep well.


>
> Tomas Mraz, OpenSSL
>
> On Wed, 2022-11-02 at 17:48 +1100, Turritopsis Dohrnii Teo En Ming
> wrote:
> > Subject: CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x
> > security vulnerabilities
> >
> > Good day from Singapore,
> >
> > I refer to the following posts.
> >
> > [1] OpenSSL Gives Heads Up to Critical Vulnerability Disclosure,
> > Check Point Alerts Organizations to Prepare Now
> > Link:
> >
> https://blog.checkpoint.com/2022/10/30/openssl-gives-heads-up-to-critical-vulnerability-disclosure-check-point-alerts-organizations-to-prepare-now/
> >
> > [2] 2022 OpenSSL vulnerability - CVE-2022-3602 - Spooky SSL
> > Link: https://github.com/NCSC-NL/OpenSSL-2022
> >
> > [3] VMware Response to CVE-2022-3602 and CVE-2022-3786:
> > vulnerabilities in OpenSSL 3.0.x
> > Link:
> >
> https://blogs.vmware.com/security/2022/11/vmware-response-to-cve-2022-3602-and-cve-2022-3786-vulnerabilities-in-openssl-3-0-x.html
> >
> > I have 2 internet-facing CentOS 7.9 Linux servers in Europe.
> >
> > Are the patches available already? How do I patch OpenSSL on my
> > CentOS 7.9 Linux servers?
> >
> > Thank you.
> >
> > Regards,
> >
> > Mr. Turritopsis Dohrnii Teo En Ming
> > Targeted Individual in Singapore
> > Blogs:
> > https://tdtemcerts.blogspot.com
> > https://tdtemcerts.wordpress.com
>
> --
> Tomáš Mráz, OpenSSL
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20221102/adf336cb/attachment.htm>