This issue is almost a year old and we are no nearer closing the gap at all.
How hard could it possibly be for a developer at Zoom to check upstream dependencies on a regular basis.
OpenSSL 3.1.6 was released on the 4th of June 2024 and 3.17 was released on the 3rd of September 2024.
I keep seeing a repeating pattern of Zoom not accurately declaring which CVE’s are backported (under the 3.1.5 version) from the OpenSSL 3.1.6 / 3.17 when they were still in WIP.
To be 100% clear, now that those versions are released, Zoom should have the 3.1.7 version code in the .dll files on all releases going forward.
Now that they are released Zoom should be monitoring the upstream vulnerability pages for security fix commits in the 3.1.8 branch etc.
The URL for convenience is… (replace SLASH with / as this page is blocked for me to post on the zoom online platform).
https:SLASHSLASHopenssl-library.orgSLASHnewsSLASHvulnerabilitiesSLASHindex.html