OpenSSL CVE-2022-4304 Timing Oracle in RSA Decryption #22374
-
Hi Team, The CVE-2022-4304 is vulnerable to our product and it support openSSL 1.0.2h. We have accommodated other CVE's into the same openSSL version. The CVE also fixed in OpenSSL1.0.2zg, but I don't see any code diffs in forums. Kindly share the link for 1.0.2zg changes for mentioned CVE. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
OpenSSL 1.0.2 went out of support in 2019, as far as I can tell. OpenSSL 1.0.2zg is available for premium support customers, so if you are a premium support customer please reach out to your support contact. Looking at the OpenSSL vulnerability list, rather than the Rust version, since 1.1.1 is also end-of-life now, if you're not a premium support customer, you should upgrade to 3.0.8 |
Beta Was this translation helpful? Give feedback.
-
Please also note that as the premium support contracts are the source of funding for any further development of the project we will not be able to provide you backported patches for the vulnerabilities for these extended support releases and we will not allow them here in the openssl organization on github. Of course we cannot prevent anyone to backport the fixes to older versions and publish them on their own repositories but these patches will never be official OpenSSL fixes. |
Beta Was this translation helpful? Give feedback.
OpenSSL 1.0.2 went out of support in 2019, as far as I can tell.
OpenSSL 1.0.2zg is available for premium support customers, so if you are a premium support customer please reach out to your support contact.
Looking at the OpenSSL vulnerability list, rather than the Rust version, since 1.1.1 is also end-of-life now, if you're not a premium support customer, you should upgrade to 3.0.8