Hi team,
The vulnerability issue CVE-2021-4160 was discovered in OpenSSL 1.1.1l recently while OpenSSL 1.1.1l is the version the latest SQLCipher 4.5.0 is using as I know.
Is the vulnerability issue CVE-2021-4160 false positive?
Is there a plan for a new release with the fix (Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l) as NVD - CVE-2021-4160 pointed out)?
Thanks,
Best Regards,
David
Hello @David_Cui - SQLCipher is not affected by CVE-2021-4160 because it doesn’t use EC algorithms. Furthermore, the bug is related to MIPS architectures, and we do not provide prebuilt libraries for that architecture (though it is technically possible to compile them yourself). That said the next release of SQLCipher, which should be forthcoming, will use OpenSSL 1.1.1m by default.
Hello @ sjlombardo - got it. Thanks for your prompt feedback. You have a good day!