Hi Team,
The following critical and high severity vulnerabilities have been discovered in OpenSSL 1.1.1j recently.
- CVE-2021-3711
- CVE-2021-3712
- CVE-2021-3450
- CVE-2021-3449
Do these vulnerabilities affect the zetetic libraries like zetetic-sqlcipher-windows & zetetic-sqlcipher-windows-uap?
Are these vulnerabilities false positive? If yes, could you explain the rationale?
Also, Is there a plan for a new release with the fix?
Thanks.
Hello @surajitk - SQLCipher is not affected by these vulnerabilities because it does not utilize SM2, public key cryptographic operations, TLS, or X.509. Thus SQLCipher 4.4.3 packages like zetetic-sqlcipher-windows and zetetic-sqlcipher-windows-uap are not impacted.
We are planning a new SQLCipher release in the near future. The updated It will include an updated version of OpenSSL
The latest OpenSSL version 1.1.1l is used in SQLCipher 4.5.0.