OpenSSL v3 has an issue on 64bit Intel environments (not currently a target runtime for Herald for C++). We need to ensure we're using a version that is patched (no releases currently are) before we release support for Intel 64bit as a target (non-development) runtime.
Severity (Project team may edit this section after reporting)
Severe on Intel 64 bit (currently not a supported target environment, only for dev).
We're currently not using these algorithms in Herald. We only use SHA256 (and only as one of many options) and only on non-Intel platforms as a target environment. (Currently we use Intel 64bit as a test environment for automated CI only. This may change in a future release - E.g. if we choose to support Linux PinePhone / desktop.).
Describe the potential solution you'd like
Adopt a fixed release of openssl 3.x when available (it's not currently)
Describe alternatives you've considered
Documenting only (as its not currently a target runtime environment).
Additional context
Add any other context about the problem here.
NONE
Notification
DO NOT MODIFY THE BELOW - it will alert the maintainers once you submit your report.
Describe the security concern
OpenSSL v3 has an issue on 64bit Intel environments (not currently a target runtime for Herald for C++). We need to ensure we're using a version that is patched (no releases currently are) before we release support for Intel 64bit as a target (non-development) runtime.
Severity (Project team may edit this section after reporting)
Severe on Intel 64 bit (currently not a supported target environment, only for dev).
https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/
We're currently not using these algorithms in Herald. We only use SHA256 (and only as one of many options) and only on non-Intel platforms as a target environment. (Currently we use Intel 64bit as a test environment for automated CI only. This may change in a future release - E.g. if we choose to support Linux PinePhone / desktop.).
Describe the potential solution you'd like
Adopt a fixed release of openssl 3.x when available (it's not currently)
Describe alternatives you've considered
Documenting only (as its not currently a target runtime environment).
Additional context
Add any other context about the problem here.
NONE
Notification
DO NOT MODIFY THE BELOW - it will alert the maintainers once you submit your report.
@theheraldproject/committers