[osgeo4w-dev] [osgeo4w] #852: Vulnerable OpenSSL v3.0.14 DLLs exist in OSGEO4W install

OSGeo4W trac_osgeo4w at osgeo.org
Wed Sep 11 06:03:30 PDT 2024 

#852: Vulnerable OpenSSL v3.0.14 DLLs exist in OSGEO4W install
----------------------+---------------------------
Reporter:  ascottwwf  |      Owner:  osgeo4w-dev@…
    Type:  defect     |     Status:  new
Priority:  normal     |  Component:  Package
 Version:             |   Keywords:
----------------------+---------------------------
 The latest QGIS OSGeo4W_v2 installer installs 4 OpenSSL v3.0.14 DLLs, this
 version is vulnerable to the following CVEs (https://openssl-
 library.org/news/vulnerabilities-3.0/index.html):

    - CVE-2024-5535 - SSL_select_next_proto buffer overread [Low severity]
 26 June 2024
    - CVE-2024-6119 - Possible denial of service in X.509 name checks
 [Moderate severity] 03 September 2024

 Evidence of my findings (using the following PowerShell):
 {{{
 $files = 'libcrypto*.dll','libssl*.dll',’*openssl.exe’
 cd 'C:\Program Files\OSGeo4W_v2\'
 Get-ChildItem $($files) -Recurse -Force -ErrorAction SilentlyContinue |
 Select-Object * -ExpandProperty VersionInfo | Sort-Object
 ProductVersion,FileVersionRaw,Filename | Select-Object
 ProductVersion,FileVersionRaw,Filename,FileDescription,CompanyName,LegalCopyright
 | ft -auto
 }}}
 Results:
 {{{
 ProductVersion FileVersionRaw FileName
 FileDescription CompanyName
 LegalCopyright
 -------------- -------------- --------
 --------------- -----------
 --------------
 3.0.14         3.0.14.0       C:\Program
 Files\OSGeo4W_v2\apps\Python312\DLLs\libcrypto-3-x64.dll OpenSSL library
 The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The
 OpenSSL Authors. All rights reserved.
 3.0.14         3.0.14.0       C:\Program
 Files\OSGeo4W_v2\apps\Python312\DLLs\libssl-3-x64.dll    OpenSSL library
 The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The
 OpenSSL Authors. All rights reserved.
 3.0.14         3.0.14.0       C:\Program
 Files\OSGeo4W_v2\bin\libcrypto-3-x64.dll                 OpenSSL library
 The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The
 OpenSSL Authors. All rights reserved.
 3.0.14         3.0.14.0       C:\Program
 Files\OSGeo4W_v2\bin\libssl-3-x64.dll                    OpenSSL library
 The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The
 OpenSSL Authors. All rights reserved.
 }}}
 OpenSSL released version 3.0.15 on Tuesday 3rd September to fix both of
 the above CVEs.

 Please can the OpenSSL DLLs included in OSGeo4W_v2 be updated, so they use
 the latest OpenSSL v3.0.15 version (or v3.1.7, v3.2.3 or v3.3.2)?

 Thanks in advance,
 \\Adrian Scott
-- 
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/852>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.

More information about the osgeo4w-dev mailing list