Vulnerable OpenSSL v3.0.14 DLLs exist in OSGEO4W install

[ascottwwf]

The latest QGIS OSGeo4W_v2 installer installs 4 OpenSSL v3.0.14 DLLs, this version is vulnerable to the following CVEs (​https://openssl-library.org/news/vulnerabilities-3.0/index.html):

• CVE-2024-5535 - SSL_select_next_proto buffer overread [Low severity] 26 June 2024
• CVE-2024-6119 - Possible denial of service in X.509 name checks [Moderate severity] 03 September 2024

Evidence of my findings (using the following PowerShell):

$files = 'libcrypto*.dll','libssl*.dll',’*openssl.exe’
cd 'C:\Program Files\OSGeo4W_v2\'
Get-ChildItem $($files) -Recurse -Force -ErrorAction SilentlyContinue | Select-Object * -ExpandProperty VersionInfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename,FileDescription,CompanyName,LegalCopyright | ft -auto

Results:

ProductVersion FileVersionRaw FileName                                                            FileDescription CompanyName                                   LegalCopyright
-------------- -------------- --------                                                            --------------- -----------                                   --------------
3.0.14         3.0.14.0       C:\Program Files\OSGeo4W_v2\apps\Python312\DLLs\libcrypto-3-x64.dll OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
3.0.14         3.0.14.0       C:\Program Files\OSGeo4W_v2\apps\Python312\DLLs\libssl-3-x64.dll    OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
3.0.14         3.0.14.0       C:\Program Files\OSGeo4W_v2\bin\libcrypto-3-x64.dll                 OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
3.0.14         3.0.14.0       C:\Program Files\OSGeo4W_v2\bin\libssl-3-x64.dll                    OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.

OpenSSL released version 3.0.15 on Tuesday 3rd September to fix both of the above CVEs.

Please can the OpenSSL DLLs included in OSGeo4W_v2 be updated, so they use the latest OpenSSL v3.0.15 version (or v3.1.7, v3.2.3 or v3.3.2)?

Thanks in advance,
Adrian Scott

[jef]

Not reproducable.

Fresh install of python3-core and openssl:

PS C:\Users\WDAGUtilityAccount> $files = 'libcrypto*.dll','libssl*.dll',’*openssl.exe’
>> cd 'C:\OSGeo4W\'
>> Get-ChildItem $($files) -Recurse -Force -ErrorAction SilentlyContinue | Select-Object * -ExpandProperty VersionInfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename,FileDescription,CompanyName,LegalCopyright | ft -auto

ProductVersion FileVersionRaw FileName                                           FileDescription CompanyName
-------------- -------------- --------                                           --------------- -----------
3.0.15         3.0.15.0       C:\OSGeo4W\apps\Python312\DLLs\libcrypto-3-x64.dll OpenSSL library The OpenSSL Project...
3.0.15         3.0.15.0       C:\OSGeo4W\apps\Python312\DLLs\libssl-3-x64.dll    OpenSSL library The OpenSSL Project...
3.0.15         3.0.15.0       C:\OSGeo4W\bin\libcrypto-3-x64.dll                 OpenSSL library The OpenSSL Project...
3.0.15         3.0.15.0       C:\OSGeo4W\bin\libssl-3-x64.dll                    OpenSSL library The OpenSSL Project...
PS C:\OSGeo4W>