A corrective release of the OpenSSL 1.1.1l cryptographic library is available, fixing two vulnerabilities:
- CVE-2021-3711 - Buffer overflow in the code with the implementation of the cryptographic algorithm SM2 (common in China), which allows, due to an error in calculating the buffer size, to overwrite up to 62 bytes in the area outside the buffer boundary. An attacker could potentially cause his code to execute or crash the application by passing specially crafted data for decoding in applications that use the EVP_PKEY_decrypt() function to decrypt SM2 data.
- CVE-2021-3712 - A buffer overflow in ASN.1 string processing code that could cause an application to crash or find out the contents of the process memory (for example, to identify keys stored in memory) if an attacker somehow manages to form a string in the internal ASN1_STRING structure, non-null character and process it in OpenSSL certificate output functions such as X509_aux_print(), X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp().
At the same time, new versions of the LibreSSL library 3.3.4 and 3.2.6 were released, which do not explicitly mention vulnerabilities, but judging by the list of changes, the CVE-2021-3712 vulnerability has been fixed.
Source: opennet.ru