What's the version number of openssl used in version LTS Release 2021.3.25f1? Is there a plan to upgrade openssl to version 1.1.1t?

Please see the link (https://www.openssl.org/news/secadv/20230207.txt) that openssl has a high-severity vulnerability identified early this year. We noticed that Unity had an update in Q1 to upgrade the openssl to version 1.1.1s, but it’s still impacted by this vulnerability. So two questions:

  1. could you please confirm that openssl 1.1.1s is still used in the lasted 2021LTS version of Unity?
  2. if yes, do you have a plan to upgrade the openssl to version 1.1.1t or 3.0.8?


OpenSSL Security Advisory [7th February 2023]
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

Severity: High

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs over a network.

OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t.
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only).

This issue was reported on 11th January 2023 by David Benjamin (Google).
The fix was developed by Hugo Landau.

Thank you for your feedback. @SteenPetersen Actually I have checked the release notes or Unity LTS 2021 to find some updates on openssl.
We can see from Unity that openssl 1.1.1s is used since LTS Release2021.3.17f1 (Unity QA - LTS Releases - Unity
), then no other updates on openssl version in the following versions any more. So I assume openssl 1.1.1s is still used in the latest Unity LTS 2021 version. I have raised another technical support request for this, the link is: