What is the OPENSSL version is used in 4.4.3 and 4.5.2. Vulnerabilities reported inn openssl

[SunitaMK]

Hi Team,

Please let me know which OPENSSL version is used sqlcipher- 4.4.3 and sqlcipher-4.5.2 library buildings.
Our internal tool reporting multiple vulnerabilities in OPENSSL libraries. We would like to know are those vulnerabilities addressed in latest version of sqlcipher? Iff not whats the next plan?

Note: If you are not posting a specific issue for the SQLCipher library, please post your question to the SQLCipher discuss site. Thanks!

[developernotes]

Hi @SunitaMK,

SQLCipher used OpenSSL 1.1.1j in 4.4.3, and 1.1.1q in 4.5.2. If you are a Commercial or Enterprise customer, please feel free to reach out directly to us directly at support@zetetic.net for further assistance.

[tosulc]

@developernotes just a question. Why aren't you using release notes (I see that you tag releases), so there won't be questions like this one? Or there will be, but it will be easier to communicate changes.

edit: I see that you're having changelog outside of git -> https://www.zetetic.net/blog/2022/08/03/sqlcipher-4.5.2-release/ but still, just c/p it here? :)

Btw. thanks for still supporting this lib. It's a game changer for database encryption in Android world.

[developernotes]

Hi @tosulc

We do not use the GitHub Releases feature, we only distribute the Community edition binary artifacts via Maven Central. The changelog for the core library is here ¹, however, we are no longer bundling/versioning OpenSSL within the SQLCipher for Android library. Because of this, SQLCipher for Android may be built with different versions/configurations of OpenSSL. Typically, we annotate the version of OpenSSL used within the core library release notes instead. You can subscribe to our SQLCipher Updates discuss channel ² where we highlight the changes in new releases including the OpenSSL version.

Footnotes

1. https://github.com/sqlcipher/sqlcipher/blob/master/CHANGELOG.md ↩

2. https://discuss.zetetic.net/c/sqlcipher/updates/14 ↩

[KDisEDDY]

cause googleplay will check the openssl version，the old version dependency of 4.1.3 will refused，verion 4.5.2 is glad to update