`openssl` `X509NameBuilder::build` returned object is not thread safe

Published: Mar 24, 2023
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-3gxf-9r58-2ghg" target="_blank" rel="noopener"> GHSA-3gxf-9r58-2ghg
Severity: Medium
Exploit:

OpenSSL has a modified bit that it can set on on X509_NAME objects. If this bit is set then the object is not thread-safe even when it appears the code is not modifying the value.

Thanks to David Benjamin (Google) for reporting this issue.