[osgeo4w-dev] [osgeo4w] #810: Vulnerable OpenSSL v1.1.1 DLLs exist in OSGEO4W install

Mon Nov 20 08:54:56 PST 2023

#810: Vulnerable OpenSSL v1.1.1 DLLs exist in OSGEO4W install
----------------------+-------------------------------------
Reporter:  ascottwwf  |      Owner:  osgeo4w-dev@…
    Type:  defect     |     Status:  new
Priority:  normal     |  Component:  Installer
 Version:             |   Keywords:  OpenSSL Vulnerabilities
----------------------+-------------------------------------
 Hello,

 If you are not already aware OpenSSL v1.1.1 went End-of-Life on the 11th
 September 2023 (https://www.openssl.org/blog/blog/2023/09/11/eol-111/) as
 a result of this any security issues with this version will no longer be
 patched (unless an OpenSSL extended support agreement is in place), this
 has the potential to leave any product (e.g. OSGEO4W) vulnerable due to
 the use of this EOL version of OpenSSL.

 ''"All older versions (including 1.1.1, 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are
 now out of support and should not be used. Users of these older versions
 are encouraged to upgrade to 3.1 or 3.0 as soon as possible. Extended
 support for 1.1.1 and 1.0.2 to gain access to security fixes for those
 versions is available."'' Source: https://www.openssl.org/source/

 Using the following PowerShell against my installation folder (C:\Program
 Files\OSGEO4W\) of the latest OSGEO4W Install (Fresh install nothing
 existed before):
 {{{
 Get-ChildItem *libcrypt*.dll,*libssl*.dll,*openssl.exe -Recurse -Force
 -ErrorAction SilentlyContinue | Select-Object versioninfo -ExpandProperty
 versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-
 Object ProductVersion,FileVersionRaw,Filename | ft -auto
 }}}

 The following OpenSSL v1.1.1 DLLs are found:
 {{{
 ProductVersion FileVersionRaw FileName
 -------------- -------------- --------
 1.1.1w         1.1.1.23       C:\Program
 Files\OSGeo4W_v2\apps\Python39\DLLs\libcrypto-1_1.dll
 1.1.1w         1.1.1.23       C:\Program
 Files\OSGeo4W_v2\apps\Python39\DLLs\libssl-1_1.dll
 1.1.1w         1.1.1.23       C:\Program Files\OSGeo4W_v2\bin\libcrypto-
 1_1-x64.dll
 1.1.1w         1.1.1.23       C:\Program Files\OSGeo4W_v2\bin\libssl-
 1_1-x64.dll
 }}}

 As of now there is currently 1 CVE (CVE-2023-5678) that exists in v1.1.1w
 Source: https://www.openssl.org/news/vulnerabilities-1.1.1.html

 Please can you confirm if OSGEO4W have an extended support agreement with
 OpenSSL to continue supporting v1.1.1\\ or \\can you confirm when you will
 be updating to the latest OpenSSL v3.0.x, v3.1.x or v3.2.x (N.B. v3.2 is
 imminently due for release).\\
 Source: https://www.openssl.org/blog/blog/2023/11/08/ossl_32_FR_blog1/
-- 
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/810>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.