Sandfly's core server and API is written in Go and the TLS libraries are not affected by this bug. However, out of an abundance of caution and to assist customers with their own compliance needs, we are releasing updated Docker images that include the fixed version of OpenSSL. The v4.2.3 release of Sandfly is functionally equivalent to the v4.2.2 release.
Specifically, the sandfly-server and sandfly-node images, which are based on Ubuntu 22.04 LTS, include the libssl3 3.0.2-0ubuntu1.7 package which includes the fix. The sandfly-rabbit image is based on Ubuntu 20.04 LTS, which does not include a vulnerable version of OpenSSL.
Customers wishing to upgrade can follow the instructions here:
If you have any questions, please reach out to us.