| # OpenSSL Advisory: October 11th, 2022 (BoringSSL Not Affected) |
| |
| OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20221011.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2022-3358 | Using a Custom Cipher with NID_undef may lead to NULL encryption | Low | Not affected; bug was introduced after fork and BoringSSL does not support custom `EVP_CIPHER`s |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
| |
| ## Elliptic Curve Miscompilations |
| |
| Though not listed in the advisory, the 1.1.1r release additionally includes a [workaround](https://github.com/openssl/openssl/commit/6246649d657127a031782b29ba6132a4203260b2) for a [strict aliasing](https://en.cppreference.com/w/c/language/object#Strict_aliasing) issue which caused [miscompilations](https://github.com/openssl/openssl/issues/18225) of the elliptic curve (EC) code in recent versions of Clang. (The corresponding fix for 3.0.x was included in 3.0.4.) |
| |
| BoringSSL had long since replaced that code and was not affected by this issue. However, to avoid risking problems with future compilers, we [completely removed](https://boringssl-review.googlesource.com/c/boringssl/+/52505) union-based type-punning from our EC code in May 2022, and are working on [removing the remaining instances](https://bugs.chromium.org/p/boringssl/issues/detail?id=301). While C does allow some union-based type-punning, C++ is stricter and the C rules are complex enough that avoiding it is safer. |
