| # OpenSSL Advisory: November 1st, 2022 (BoringSSL Not Affected) |
| |
| OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20221101.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2022-3602 | X.509 Email Address 4-byte Buffer Overflow | High (initially Critical) | Not affected. Bug was introduced after the fork. |
| CVE-2022-3786 | X.509 Email Address Variable Length Buffer Overflow | High | Not affected. Bug was introduced after the fork. |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
| |
| ## TLS Cipher Strings |
| |
| Though not listed in the advisory, the 1.1.1s and 3.0.7 releases additionally fix an [out-of-bounds read](https://github.com/openssl/openssl/commit/9b3219ba544db82cdad3058b9872058739559944) in TLS cipher string processing. BoringSSL fixed this issue in [October 2016](https://boringssl-review.googlesource.com/c/boringssl/+/11421). |
