Opened 14 months ago

Closed 9 months ago

#810 closed defect (fixed)

Vulnerable OpenSSL v1.1.1 DLLs exist in OSGEO4W install

Reported by: ascottwwf Owned by: osgeo4w-dev@…
Priority: normal Component: Installer
Version: Keywords: OpenSSL Vulnerabilities
Cc:

Description

Hello,

If you are not already aware OpenSSL v1.1.1 went End-of-Life on the 11th September 2023 (https://www.openssl.org/blog/blog/2023/09/11/eol-111/) as a result of this any security issues with this version will no longer be patched (unless an OpenSSL extended support agreement is in place), this has the potential to leave any product (e.g. OSGEO4W) vulnerable due to the use of this EOL version of OpenSSL.

"All older versions (including 1.1.1, 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encouraged to upgrade to 3.1 or 3.0 as soon as possible. Extended support for 1.1.1 and 1.0.2 to gain access to security fixes for those versions is available." Source: https://www.openssl.org/source/

Using the following PowerShell against my installation folder (C:\Program Files\OSGEO4W\) of the latest OSGEO4W Install (Fresh install nothing existed before): 

Get-ChildItem *libcrypt*.dll,*libssl*.dll,*openssl.exe -Recurse -Force -ErrorAction SilentlyContinue | Select-Object versioninfo -ExpandProperty versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename | ft -auto

The following OpenSSL v1.1.1 DLLs are found: 

ProductVersion FileVersionRaw FileName
-------------- -------------- --------
1.1.1w         1.1.1.23       C:\Program Files\OSGeo4W_v2\apps\Python39\DLLs\libcrypto-1_1.dll
1.1.1w         1.1.1.23       C:\Program Files\OSGeo4W_v2\apps\Python39\DLLs\libssl-1_1.dll
1.1.1w         1.1.1.23       C:\Program Files\OSGeo4W_v2\bin\libcrypto-1_1-x64.dll
1.1.1w         1.1.1.23       C:\Program Files\OSGeo4W_v2\bin\libssl-1_1-x64.dll

As of now there is currently 1 CVE (CVE-2023-5678) that exists in v1.1.1w Source: https://www.openssl.org/news/vulnerabilities-1.1.1.html

Please can you confirm if OSGEO4W have an extended support agreement with OpenSSL to continue supporting v1.1.1
or
can you confirm when you will be updating to the latest OpenSSL v3.0.x, v3.1.x or v3.2.x (N.B. v3.2 is imminently due for release).
Source: https://www.openssl.org/blog/blog/2023/11/08/ossl_32_FR_blog1/

Change History (2)

comment:1 by jef, 14 months ago

We don't. And there is no schedule on updating to OpenSSL3.

Last edited 14 months ago by jef (previous) (diff)

comment:2 by jef, 9 months ago

Resolution: fixed
Status: newclosed

Fixed in https://github.com/jef-n/OSGeo4W/cf3e48835a676262507d9d30385792702354756d

Note: See TracTickets for help on using tickets.