<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
We do not have a firm release date for 1.1.1u at this point. As per
our policy, LOW severity CVE are not release triggering and this one
is considered LOW severity by the project. Baring other
eventualities, three months is a likely time frame.<br>
<br>
I'll note that the issue here was in the documentation and that the
fix is purely a documentation change. This change is already
available online on our web site:<br>
<br>
<a class="moz-txt-link-freetext" href="https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html">https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html</a><br>
<br>
<br>
Dr Paul Dale<br>
<br>
<div class="moz-cite-prefix">On 4/4/23 23:16, Joslin, Jack via
openssl-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SA1P110MB15045BD147AB46A096FF61FA9B939@SA1P110MB1504.NAMP110.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="elementToProof">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">Hello,</span><br>
</div>
<div dir="ltr">
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);">
When will OpenSSL 1.1.1u be released? </div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);">
Tenable indicates the vulnerability severity of 1.1.1t as
medium. I found this post indicating that there is no ETA on
the release of OpenSSL 1.1.1u and that it may not be released
for 3 months.</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);">
<a
href="https://mta.openssl.org/pipermail/openssl-users/2023-March/016106.html"
class="ContentPasted0" id="LPlnk888762"
moz-do-not-send="true">OpenSSL Security Advisory</a><br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div class="x_elementToProof" style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);">
From Nessus/Tenable scan:<br>
</div>
<div class="x_elementToProof">
<div id="x_Signature">
<div name="x_divtagdefaultwrapper"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
<div style="margin:0px"><br>
</div>
<div style="margin:0px">
<table class="x_ContentPasted0"
style="border-collapse:collapse; width:789pt"
width="1050">
<colgroup class="x_ContentPasted0"><col
class="x_ContentPasted0" style="width:48pt"
width="64"><col class="x_ContentPasted0"
style="width:92pt" width="122"><col
class="x_ContentPasted0" style="width:48pt"
width="64"><col class="x_ContentPasted0"
style="width:341pt" width="455"><col
class="x_ContentPasted0" style="width:128pt"
width="170"><col class="x_ContentPasted0"
style="width:55pt" width="73"><col
class="x_ContentPasted0" style="width:77pt"
width="102"></colgroup>
<tbody class="x_ContentPasted0">
<tr class="x_ContentPasted0" style="height:17.25pt"
height="23">
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); height: 17.25pt; width:
48pt; white-space: nowrap !important; color:
black;" width="64" height="23">
Plugin</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 92pt; white-space:
nowrap !important; color: black;" width="122">
Plugin Name</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 48pt; white-space:
nowrap !important; color: black;" width="64">
Severity</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 341pt; white-space:
nowrap !important; color: black;" width="455">
Plugin Output</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 128pt; white-space:
nowrap !important; color: black;" width="170">
Solution</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 55pt; white-space:
nowrap !important; color: black;" width="73">
Risk Factor</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); width: 77pt; white-space:
nowrap !important; color: black;" width="102">
CVE</td>
</tr>
<tr class="x_ContentPasted0" style="height:210.0pt"
height="280">
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); height: 210pt; white-space:
nowrap !important; color: black;" height="280"
align="right">
173260</td>
<td class="x_xl65 x_ContentPasted0"
style="padding-top: 1px; padding-right: 1px;
padding-left: 1px; font-size: 11pt;
text-decoration: none; font-family: Calibri,
sans-serif; vertical-align: bottom; border: 1px
solid rgb(212, 212, 212); width: 92pt; color:
black;" width="122">
OpenSSL 1.1.1 < 1.1.1u Multiple
Vulnerabilities</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); white-space: nowrap
!important; color: black;">
Medium</td>
<td class="x_xl65 x_ContentPasted0"
style="padding-top: 1px; padding-right: 1px;
padding-left: 1px; font-size: 11pt;
text-decoration: none; font-family: Calibri,
sans-serif; vertical-align: bottom; border: 1px
solid rgb(212, 212, 212); width: 341pt; color:
black;" width="455">
Plugin Output: <br class="x_ContentPasted0">
<span class="x_ContentPasted0" style=""> </span>Banner<span
class="x_ContentPasted0" style="">
</span>: Apache/2.4.56 (Unix) OpenSSL/1.1.1t
mod_perl/2.0.9 Perl/v5.8.8<br
class="x_ContentPasted0">
<span class="x_ContentPasted0" style=""> </span>Reported
version : 1.1.1t<br class="x_ContentPasted0">
<span class="x_ContentPasted0" style=""> </span>Fixed
version<span class="x_ContentPasted0" style="">
</span>: 1.1.1u</td>
<td class="x_xl65 x_ContentPasted0"
style="padding-top: 1px; padding-right: 1px;
padding-left: 1px; font-size: 11pt;
text-decoration: none; font-family: Calibri,
sans-serif; vertical-align: bottom; border: 1px
solid rgb(212, 212, 212); width: 128pt; color:
black;" width="170">
Upgrade to OpenSSL version 1.1.1u or later.</td>
<td class="x_ContentPasted0" style="padding-top:
1px; padding-right: 1px; padding-left: 1px;
font-size: 11pt; text-decoration: none;
font-family: Calibri, sans-serif;
vertical-align: bottom; border: 1px solid
rgb(212, 212, 212); white-space: nowrap
!important; color: black;">
Medium</td>
<td class="x_xl65 x_ContentPasted0"
style="padding-top: 1px; padding-right: 1px;
padding-left: 1px; font-size: 11pt;
text-decoration: none; font-family: Calibri,
sans-serif; vertical-align: bottom; border: 1px
solid rgb(212, 212, 212); width: 77pt; color:
black;" width="102">
CVE-2023-0464, CVE-2023-0464, CVE-2023-0465,
CVE-2023-0466</td>
</tr>
</tbody>
</table>
<br>
</div>
<div style="margin:0px">Regards,</div>
<div style="margin:0px"> </div>
<div style="margin:0px">Jack Joslin</div>
<div style="margin:0px"><span style="font-family: Arial,
sans-serif; font-size: 10pt; color: rgb(153, 51,
102);"><span id="x_ms-rterangecursor-start"></span>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal">
<span
style="font-family:"Arial","sans-serif";
font-size:10pt"><font style="color: rgb(0, 0, 0);">Business
Services Outsourcing Center (BSOC)<span
id="x_ms-rterangecursor-end"></span></font></span></p>
<span id="x_ms-rterangecursor-end"></span></span></div>
<div style="margin:0px">
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal">
General Dynamics, Information Technology</p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal">
327 Columbia Turnpike, Rensselaer, NY 12144</p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal">
<a href="mailto:jack.joslin@gdit.com"
data-auth="NotApplicable" tabindex="0"
moz-do-not-send="true" class="moz-txt-link-freetext">jack.joslin@gdit.com</a></p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal">
<span style="line-height: 115%; font-family: Arial,
"sans-serif"; font-size: 10pt; color:
rgb(31, 73, 125);">m: +1.321.431.5117</span></p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;margin:0in 0in 0pt;
line-height:normal">
Follow us on <a
href="http://www.facebook.com/OfficialCSRA"
data-auth="NotApplicable" tabindex="0"
moz-do-not-send="true">
<span style="text-decoration: none; color:
windowtext;">Facebook</span></a> | <a
href="http://www.twitter.com/csra_inc"
data-auth="NotApplicable" tabindex="0"
moz-do-not-send="true">
<span style="text-decoration: none; color:
windowtext;">Twitter</span></a> | <a
href="http://www.linkedin.com/company/csra_inc"
data-auth="NotApplicable" tabindex="0"
moz-do-not-send="true">
<span style="text-decoration: none; color:
windowtext;">LinkedIn</span></a></p>
<p class="x_MsoNormal" style="margin-top: 0px;
margin-bottom: 0px;"><span style="font-family: Arial,
sans-serif; font-size: 8pt; color: rgb(31, 73,
125);">This electronic message transmission contains
information from GDIT which may be attorney-client
privileged, proprietary or confidential. The
information in this message is intended only for use
by the individual(s) to whom it is addressed. If
you believe you have received this message in error,
please contact me immediately and be aware that any
use, disclosure, copying or distribution of the
contents of this message is strictly prohibited.
NOTE: Regardless of content, this e-mail shall not
operate to bind GDIT to any order or other contract
unless pursuant to explicit written agreement or
government initiative expressly permitting the use
of e-mail for such purpose</span><br>
</p>
</div>
<div style="margin:0px"> </div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>