OpenSSL 3.0.5 high severity findings.

[miloslav-zadrazil-solarwinds]

Describe the bug
Vulnerability scans on nmap release shows high severity issue of OpenSSL 3.0.5 version

• X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
• X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)
  could you, please provide me with information whether nmap is affected by those vulnerabilities ?

[dmiller-nmap]

Nmap is not affected by these vulnerabilities because Nmap does not perform certificate validation. Ncat, when the --ssl-verify option is used, may be vulnerable.

[fyodor]

Just to add one more thing...even though Nmap itself isn't vulnerable, we'll be updating to the patched OpenSSL in the next release. We understand that nobody wants these "vulnerable" OpenSSL DLL's on their system even if they can't technically be exploited. They can still lead to alerts from vulnerability scanners, etc. Thanks @miloslav-zadrazil-solarwinds for the report, and of course @dmiller-nmap for researching the CVE's so quickly.

[miloslav-zadrazil-solarwinds]

Excellent and very helpful . Many thanks for quick response.