Cve-2021-3711, cve-2021-3712, cve-2021-3450 & cve-2021-3449

Hi Team,

The following critical and high severity vulnerabilities have been discovered in OpenSSL 1.1.1j recently.

  • CVE-2021-3711
  • CVE-2021-3712
  • CVE-2021-3450
  • CVE-2021-3449

Do these vulnerabilities affect the zetetic libraries like zetetic-sqlcipher-windows & zetetic-sqlcipher-windows-uap?
Are these vulnerabilities false positive? If yes, could you explain the rationale?
Also, Is there a plan for a new release with the fix?

Thanks.

Hello @surajitk - SQLCipher is not affected by these vulnerabilities because it does not utilize SM2, public key cryptographic operations, TLS, or X.509. Thus SQLCipher 4.4.3 packages like zetetic-sqlcipher-windows and zetetic-sqlcipher-windows-uap are not impacted.

We are planning a new SQLCipher release in the near future. The updated It will include an updated version of OpenSSL

The latest OpenSSL version 1.1.1l is used in SQLCipher 4.5.0.