Opened 7 months ago

Closed 7 months ago

#837 closed defect (fixed)

Vulnerable OpenSSL v3.0.13 DLLs exist in OSGEO4W install

Reported by: ascottwwf Owned by: osgeo4w-dev@…
Priority: normal Component: Installer
Version: Keywords:
Cc:

Description

Thank you for recently resolving the previous ticket relating to OpenSSL v1.1.1 DLLs (https://trac.osgeo.org/osgeo4w/ticket/810)

The latest QGIS OSGeo4W_v2 installer now installs 4 OpenSSL v3.0.13 DLLs this OpenSSL version is vulnerable to the following 3 Low Severity CVEs (https://www.openssl.org/news/vulnerabilities-3.0.html):

  • CVE-2024-4741 Use After Free with SSL_free_buffers [Low severity] 27 May 2024
  • CVE-2024-4603 Excessive time spent checking DSA keys and parameters [Low severity] 16 May 2024
  • CVE-2024-2511 Unbounded memory growth with session handling in TLSv1.3 [Low severity] 08 April 2024

Evidence of my findings (using the following PowerShell):

$files = 'libcrypto*.dll','libssl*.dll',’*openssl.exe’
cd 'C:\Program Files\OSGeo4W_v2\'
Get-ChildItem $($files) -Recurse -Force -ErrorAction SilentlyContinue | Select-Object * -ExpandProperty VersionInfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename,FileDescription,CompanyName,LegalCopyright | ft -auto

Results:

ProductVersion FileVersionRaw FileName                                                            FileDescription CompanyName                                   LegalCopyright
-------------- -------------- --------                                                            --------------- -----------                                   --------------
3.0.13         3.0.13.0       C:\Program Files\OSGeo4W_v2\apps\Python312\DLLs\libcrypto-3-x64.dll OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
3.0.13         3.0.13.0       C:\Program Files\OSGeo4W_v2\apps\Python312\DLLs\libssl-3-x64.dll    OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
3.0.13         3.0.13.0       C:\Program Files\OSGeo4W_v2\bin\libcrypto-3-x64.dll                 OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
3.0.13         3.0.13.0       C:\Program Files\OSGeo4W_v2\bin\libssl-3-x64.dll                    OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.

OpenSSL will be releasing updated versions on Tuesday 4th June to fix the above CVEs – See attached email from OpenSSL confirming this.

Please can you confirm that the OpenSSL DLLs included in OSGeo4W_v2 will be updated, so they use the latest OpenSSL v3.0.14 version (or v3.1.6, v3.2.2 or v3.3.1)?

Regards, Adrian Scott

Attachments (1)

New OpenSSL Releases.msg (109.0 KB ) - added by ascottwwf 7 months ago.
New OpenSSL Releases email from OpenSSL

Download all attachments as: .zip

Change History (4)

by ascottwwf, 7 months ago

Attachment: New OpenSSL Releases.msg added

New OpenSSL Releases email from OpenSSL

comment:2 by ascottwwf, 7 months ago

Apologies, it was an Outlook .msg file

Yes that is exactly the notice received from OpenSSL

Last edited 7 months ago by ascottwwf (previous) (diff)

comment:3 by jef, 7 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.