GHSA-3gxf-9r58-2ghg: `openssl` `X509NameBuilder::build` returned object is not thread safe

March 24, 2023

OpenSSL has a modified bit that it can set on on X509_NAME objects. If this bit is set then the object is not thread-safe even when it appears the code is not modifying the value.

Thanks to David Benjamin (Google) for reporting this issue.

References

github.com/advisories/GHSA-3gxf-9r58-2ghg
github.com/sfackler/rust-openssl/pull/1854
rustsec.org/advisories/RUSTSEC-2023-0022.html

Detect and mitigate GHSA-3gxf-9r58-2ghg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →