#837: Vulnerable OpenSSL v3.0.13 DLLs exist in OSGEO4W install
----------------------+---------------------------
Reporter: ascottwwf | Owner: osgeo4w-dev@…
Type: defect | Status: new
Priority: normal | Component: Installer
Version: | Keywords:
----------------------+---------------------------
Thank you for recently resolving the previous ticket relating to OpenSSL
v1.1.1 DLLs (https://trac.osgeo.org/osgeo4w/ticket/810)
The latest QGIS OSGeo4W_v2 installer now installs 4 OpenSSL v3.0.13 DLLs
this OpenSSL version is vulnerable to the following 3 Low Severity CVEs
(https://www.openssl.org/news/vulnerabilities-3.0.html):
- CVE-2024-4741 Use After Free with SSL_free_buffers [Low severity] 27 May
2024
- CVE-2024-4603 Excessive time spent checking DSA keys and parameters [Low
severity] 16 May 2024
- CVE-2024-2511 Unbounded memory growth with session handling in TLSv1.3
[Low severity] 08 April 2024
Evidence of my findings (using the following PowerShell):
{{{
$files = 'libcrypto*.dll','libssl*.dll',’*openssl.exe’
cd 'C:\Program Files\OSGeo4W_v2\'
Get-ChildItem $($files) -Recurse -Force -ErrorAction SilentlyContinue |
Select-Object * -ExpandProperty VersionInfo | Sort-Object
ProductVersion,FileVersionRaw,Filename | Select-Object
ProductVersion,FileVersionRaw,Filename,FileDescription,CompanyName,LegalCopyright
| ft -auto
}}}
Results:
{{{
ProductVersion FileVersionRaw FileName
FileDescription CompanyName
LegalCopyright
-------------- -------------- --------
--------------- -----------
--------------
3.0.13 3.0.13.0 C:\Program
Files\OSGeo4W_v2\apps\Python312\DLLs\libcrypto-3-x64.dll OpenSSL library
The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The
OpenSSL Authors. All rights reserved.
3.0.13 3.0.13.0 C:\Program
Files\OSGeo4W_v2\apps\Python312\DLLs\libssl-3-x64.dll OpenSSL library
The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The
OpenSSL Authors. All rights reserved.
3.0.13 3.0.13.0 C:\Program
Files\OSGeo4W_v2\bin\libcrypto-3-x64.dll OpenSSL library
The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The
OpenSSL Authors. All rights reserved.
3.0.13 3.0.13.0 C:\Program
Files\OSGeo4W_v2\bin\libssl-3-x64.dll OpenSSL library
The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The
OpenSSL Authors. All rights reserved.
}}}
OpenSSL will be releasing updated versions on Tuesday 4th June to fix the
above CVEs – See attached email from OpenSSL confirming this.
Please can you confirm that the OpenSSL DLLs included in OSGeo4W_v2 will
be updated, so they use the latest OpenSSL v3.0.14 version (or v3.1.6,
v3.2.2 or v3.3.1)?
Regards,
Adrian Scott
--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/837>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack._______________________________________________
osgeo4w-dev mailing list
[email protected]
https://lists.osgeo.org/mailman/listinfo/osgeo4w-dev
