available Corrective release of the cryptographic library Openssl 1.1.1L With the elimination of two vulnerabilities :
- CVE-2021-3711 – buffer overflow in code with the realization of the cryptographic algorithm SM2 (distributed In China), allowing due to an error in calculating the buffer size to overwrite up to 62 bytes in the region abroad. The attacker can potentially achieve its code or collapse of the application through the transmission of special decorated data for decoding in applications using the EVP_PKEY_DECRYPT () function to decrypt SM2 data.
- CVE-2021-3712 – buffer overflow in the ASN.1 row processing code allowing Call the collapse of the application or find out the content memory contents (for example, to detect keys stored in memory) if the attacker can somehow be able to form a string in the internal structure of the ASN1_STRING, not an ending zero symbol, and process it in the OpenSSL functions that extend certificates, such how
X509_aux_print (), x509_get1_email (), x509_req_get1_email () and x509_get1_ocsp ().
at the same time released new versions of library Librassl 3.3.4 and 3.2.6, in which are clearly not mentioned about vulnerabilities, but judging by the change list, the Vulnerability of CVE-2021-3712 is eliminated.
/Media reports.