This security update is meant to address issues catalogued in CVE 2022-3602 and CVE 2022-3786 which affects OpenSSL versions 3.0.0 through 3.0.6. The new version, OpenSSL 3.0.7 is to address the potential for a malicious actor to cause a buffer overflow which may result in a Denial of Service (DoS). The OpenSSL Security Team recently determined that Remote Code Execution (RCE), though unlikely still has non-zero potential to result in a RCE in some implementations. The OpenSSL Security Team has categorized these two vulnerabilities as “High” (recently downgraded from Critical).
According to the OpenSSL Security Team, this vulnerability does not affect OpenSSL versions prior to 3.0. OpenSSL reminds developers that OpenSSL version 1.1.1x will only be supported until September 11, 2023. The latest version is 1.1.1s.
On many Linux variants, version information can be discovered with the command: # openssl version
The following command can be used on a Windows command prompt: openssl /?
Version 3.0.7 download: https://www.openssl.org/source/
Additional details:
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
https://www.hhs.gov/sites/default/files/openssl-critical-patch.pdf
https://www.openssl.org/news/secadv/20221101.txt
