Opened 6 months ago
Closed 6 months ago
#837 closed defect (fixed)
Vulnerable OpenSSL v3.0.13 DLLs exist in OSGEO4W install
| Reported by: | ascottwwf | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | Installer |
| Version: | Keywords: | ||
| Cc: |
Description
Thank you for recently resolving the previous ticket relating to OpenSSL v1.1.1 DLLs (https://trac.osgeo.org/osgeo4w/ticket/810)
The latest QGIS OSGeo4W_v2 installer now installs 4 OpenSSL v3.0.13 DLLs this OpenSSL version is vulnerable to the following 3 Low Severity CVEs (https://www.openssl.org/news/vulnerabilities-3.0.html):
- CVE-2024-4741 Use After Free with SSL_free_buffers [Low severity] 27 May 2024
- CVE-2024-4603 Excessive time spent checking DSA keys and parameters [Low severity] 16 May 2024
- CVE-2024-2511 Unbounded memory growth with session handling in TLSv1.3 [Low severity] 08 April 2024
Evidence of my findings (using the following PowerShell):
$files = 'libcrypto*.dll','libssl*.dll',’*openssl.exe’ cd 'C:\Program Files\OSGeo4W_v2\' Get-ChildItem $($files) -Recurse -Force -ErrorAction SilentlyContinue | Select-Object * -ExpandProperty VersionInfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename,FileDescription,CompanyName,LegalCopyright | ft -auto
Results:
ProductVersion FileVersionRaw FileName FileDescription CompanyName LegalCopyright -------------- -------------- -------- --------------- ----------- -------------- 3.0.13 3.0.13.0 C:\Program Files\OSGeo4W_v2\apps\Python312\DLLs\libcrypto-3-x64.dll OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved. 3.0.13 3.0.13.0 C:\Program Files\OSGeo4W_v2\apps\Python312\DLLs\libssl-3-x64.dll OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved. 3.0.13 3.0.13.0 C:\Program Files\OSGeo4W_v2\bin\libcrypto-3-x64.dll OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved. 3.0.13 3.0.13.0 C:\Program Files\OSGeo4W_v2\bin\libssl-3-x64.dll OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
OpenSSL will be releasing updated versions on Tuesday 4th June to fix the above CVEs – See attached email from OpenSSL confirming this.
Please can you confirm that the OpenSSL DLLs included in OSGeo4W_v2 will be updated, so they use the latest OpenSSL v3.0.14 version (or v3.1.6, v3.2.2 or v3.3.1)?
Regards, Adrian Scott
Attachments (1)
Change History (4)
by , 6 months ago
| Attachment: | New OpenSSL Releases.msg added |
|---|
comment:1 by , 6 months ago
Odd attachment. Apparently the same as https://mta.openssl.org/pipermail/openssl-announce/2024-May/000305.html.
comment:2 by , 6 months ago
Apologies, it was an Outlook .msg file
Yes that is exactly the notice received from OpenSSL
comment:3 by , 6 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
New OpenSSL Releases email from OpenSSL