Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)


Topic review


Re: OpenSSL CVE-2022-3786 and CVE-2022-3602 impact

Yes, the current version of WinSCP is based on OpenSSL 1.1.1. No version of WinSCP ever used OpenSSL 3.0.

So, no version of WinSCP is vulnerable to CVE-2022-3786 or CVE-2022-3602.
kyle ct

Inspecting the Download Source and WinSCP history link, I noted since v5.21.2(2022-08-08) the OpenSSL version was set to 1.1.1q.
OpenSSL 1.1.1q 5 Jul 2022
kyle ct

OpenSSL CVE-2022-3786 and CVE-2022-3602 impact

Based upon previous posts WinSCP uses OpenSSL for FTP over TLS.
Bug 1151 – OpenSSL vulnerability CVE-2014-0160

Is there any confirmation that OpenSSL versions(3.0.0 – 3.0.6) are not bundled into the current versions? If so, is there an update planned with version 3.0.7?