calibre

Vulnerable OpenSSL bundled

Bug #2065930 reported by Felipe Morais
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calibre
Fix Released
Undecided
Unassigned

Bug Description

The following DLLs used by Calibre 7.x (Windows) are being flagged by MS Defender for Endpoint as vulnerable:

libssl-3.dll
libcrypto-3.dll
libssl-3-x64.dll
libcrypto-3-x64.dll

I assume they come from OpenSSL 3.1.14. This version is vulnerable to a series of CVEs fixed in version 3.3 of OpenSSL. I`d like to suggest updating OpenSSL dependencies for Calibre in a future release as soon as possible to avoid those vulnerabilities.

Changelogs: https://www.openssl.org/news/cl33.txt

Revision history for this message
Kovid Goyal (kovid) wrote :

None of those CVEs are applicable to calibre's usage of OpenSSL as far
as I can tell, however I will update to 3.1.5 (it is currently at 3.1.3)
for the next calibre release to avoid the security theatre.

Changed in calibre:
status: New → Fix Released
Revision history for this message
Kovid Goyal (kovid) wrote :

Fixed in branch master. The fix will be in the next release. calibre is usually released every alternate Friday.

Revision history for this message
Felipe Morais (fdemenes) wrote :

Any 3.1.X versions would not avoid the detection by common Anti Virus. Version 3.3 and higher would do that. Thanks for your prompt response!

Revision history for this message
Kovid Goyal (kovid) wrote :

3.1 is actively maintained as far as I know. If there are outstanding
issues with it it should be reported to openssl so they can make a patch
releas ein 3.1. And if there arent then the false detection should be
reported to the antivirus vendor.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.