Vulnerable OpenSSL bundled
Bug #2065930 reported by
Felipe Morais
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
calibre |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The following DLLs used by Calibre 7.x (Windows) are being flagged by MS Defender for Endpoint as vulnerable:
libssl-3.dll
libcrypto-3.dll
libssl-3-x64.dll
libcrypto-3-x64.dll
I assume they come from OpenSSL 3.1.14. This version is vulnerable to a series of CVEs fixed in version 3.3 of OpenSSL. I`d like to suggest updating OpenSSL dependencies for Calibre in a future release as soon as possible to avoid those vulnerabilities.
Changelogs: https:/
To post a comment you must log in.
None of those CVEs are applicable to calibre's usage of OpenSSL as far
as I can tell, however I will update to 3.1.5 (it is currently at 3.1.3)
for the next calibre release to avoid the security theatre.