OpenSSL high-severity bug – affects 1.1.1d, 1.1.1e, 1.1.1f

&gt; This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April 2020. It was found using the new static analysis pass being implemented in GCC, -fanalyzer.<p>2 week turnaround time, not bad I guess, for something found by a static analyzer.

At least it&#x27;s just DOS and not anything like heartbleed.

What popular software contain these vulnerable versions of the OpenSSL library?

Checking out packages.ubuntu.com, it looks like the only version impacted is &quot;focal;&quot; the other versions are too old.

Now I know why arch pushed a new version this afternoon.

Is BoringSSL affected?

So how widely TLS 1.3 is<p>a) used<p>b) enabled in either client or server?

OpenSSL vulnerabilities: The gift that keeps on giving.

This would primarily affect web servers exposing SSH access to the public right? I suppose it also affects internally accessible servers as well but to a lesser degree in terms of priority.

OpenSSL is the culprit of a MacPort installation issue (vde2) for which there is no maintainer. It exposes operational vulnerability to unmaintained open source software.

Sure, let&#x27;s continue to reward incompetence by further funding openssl.<p>In a sane world, everybody would have switched to libressl ages ago.