Review a fix for OpenSSL3 CVE

grey artkiver at gmail.com
Tue Nov 1 18:15:39 UTC 2022


I think neverpanic tends to be pretty responsive?

Moreover in the severity was downgraded from Critical to High between the
time the vulnerability was circulating through the grapevine until it
actually was disclosed. There are also no known exploits in the wild
thankfully.

LibreSSL (which is what macOS ships in base) is also not vulnerable,
neither is OpenSSL1.

Anyway, I agree it's important to get tested and merged, but I'm not sure
if it would be necessary to jump the gun of the maintainers?

On Tue, Nov 1, 2022, 11:04 Kirill A. Korinsky via macports-dev <
macports-dev at lists.macports.org> wrote:

> Folks,
>
> OpenSSL team released a fix for found CVE:
> https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
>
> May I ask someone to review a PR to fix this CVE?
>
> https://github.com/macports/macports-ports/pull/16545
>
> I think that this CVE should be a reason to merge such PR ASAP without
> maintainers confirmation.
>
> --
> wbr, Kirill
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20221101/8e169677/attachment.htm>


More information about the macports-dev mailing list