Security Report: OpenSSL on Intel 64 bit (future release)

[adamfowleruk]

Describe the security concern

OpenSSL v3 has an issue on 64bit Intel environments (not currently a target runtime for Herald for C++). We need to ensure we're using a version that is patched (no releases currently are) before we release support for Intel 64bit as a target (non-development) runtime.

Severity (Project team may edit this section after reporting)

Severe on Intel 64 bit (currently not a supported target environment, only for dev).

https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/

We're currently not using these algorithms in Herald. We only use SHA256 (and only as one of many options) and only on non-Intel platforms as a target environment. (Currently we use Intel 64bit as a test environment for automated CI only. This may change in a future release - E.g. if we choose to support Linux PinePhone / desktop.).

Describe the potential solution you'd like

Adopt a fixed release of openssl 3.x when available (it's not currently)

Describe alternatives you've considered

Documenting only (as its not currently a target runtime environment).

Additional context

Add any other context about the problem here.

NONE

Notification

DO NOT MODIFY THE BELOW - it will alert the maintainers once you submit your report.

@theheraldproject/committers