I don’t know. There, that was easy. Yesterday I wrote a post about the Chia 1.3.3 re-release to re-fix the OpenSSL vulnerability on Windows. I have had them tell me in the past they don’t test everything on Windows. For example, when I was trying to get their crawler to run I was told they hadn’t even tried to run it on Windows before, along with many of their internal tools. That’s pretty clear. So when they re-issued this update I assumed it was because no one had bothered to look.
They (rightly) took exception to that, and called me out on it here on Reddit. So they were claiming they had looked and it did check out so they released the build. Obviously I had to check that out myself to be sure. And it turns out that Python deployed with Chia 1.3.2 on Windows does indeed spit out the correctly fixed version of OpenSSL when a check is run.
So I got this one wrong. I am updating the other post to say that and link to this proof. My apologies to the Chia Network team for unfairly calling you out on this one. I would not have caught this on a build check either, and kudos to their team for catching the discrepancy even when Python tells you it is loading the correct build.
If OpenSSL’s libcrypto could speak, it would’ve screamed 1.1.1m.
Moreover, because I’m a contrarian, Chia was -never- vulnerable.
It actually was because they use client TLS certificates for auth