OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2022-3358 | Using a Custom Cipher with NID_undef may lead to NULL encryption | Low | Not affected; bug was introduced after fork and BoringSSL does not support custom EVP_CIPHERs |
Though not listed in the advisory, the 1.1.1r release additionally includes a workaround for a strict aliasing issue which caused miscompilations of the elliptic curve (EC) code in recent versions of Clang. (The corresponding fix for 3.0.x was included in 3.0.4.)
BoringSSL had long since replaced that code and was not affected by this issue. However, to avoid risking problems with future compilers, we completely removed union-based type-punning from our EC code in May 2022, and are working on removing the remaining instances. While C does allow some union-based type-punning, C++ is stricter and the C rules are complex enough that avoiding it is safer.