| # OpenSSL Advisory: June 21st, 2022 (BoringSSL Not Affected) |
| |
| OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20220621.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2022-2068 | The c_rehash script allows command injection | Moderate | Not affected. BoringSSL does not ship this script. |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
| |
| ## Additional Changes in 1.1.1p |
| |
| The 1.1.1p release additionally includes the following changes: |
| |
| ### Modular exponentiation fix |
| |
| The `BN_mod_exp_mont_consttime` function [would sometimes return the modulus when it should return zero](https://github.com/openssl/openssl/pull/18511). This fix was based on a corresponding BoringSSL fix ([part 1](https://boringssl.googlesource.com/boringssl/+/13c9d5c69d04485a7a8840c12185c832026c8315), [part 2](https://boringssl.googlesource.com/boringssl/+/801a801024febe1a33add5ddaa719e257d97aba5)), applied June 3rd, 2022. While this function is used in many cryptographic algorithms, we believe there is no security impact to algorithms implemented by BoringSSL. See the BoringSSL fix for more detailed analysis. |
| |
| ### Lucky 13 mitigation |
| |
| The [Lucky 13](https://en.wikipedia.org/wiki/Lucky_Thirteen_attack) mitigation was [changed](https://github.com/openssl/openssl/pull/18050) to avoid leaking information under a model of cache line behavior. BoringSSL is not affected. We previously changed this logic in [September 2016](https://boringssl-review.googlesource.com/c/boringssl/+/11003/) to meet a stricter constant-time model, which makes no assumptions on the behavior of cache lines. |