duane3104 wrote: ↑Thu Nov 17, 2022 9:51 pm
@Pagrossman
First, i am a total nube so please forgive me if this is a stupid question.
But you say in your original post that FreeCAD uses OpenSSL 3.0.0.
My windows V0.20 appears to use OpenSSL 1.1.1L not the 3.0.0 version.
Would that mean that recent Windows versions would not be affected?
Perhaps the Linux versions use the 3.0.0 library?
Thanks very much for any comments.
Hi duane3104,
thank you for your reply.
You are right and it seems that V0.20 uses version 1.1.1 but at the same time the setup installs also version 3.0.0.
As you wrote, versions 1.* are not vulnerable. Unfortunately, versions 3.0.0 - 3.0.6 are vulnerable.
Version - path:
3.0.0.0 - c:\program files\freecad 0.20\bin\libcrypto-3.dll
3.0.0.0 - c:\program files\freecad 0.20\bin\libssl-3.dll
3.0.0.0 - c:\program files\freecad 0.20\bin\libssl-3d.dll
1.1.1.0 - c:\program files\freecad 0.20\bin\dlls\libcrypto-1_1.dll
1.1.1.0 - c:\program files\freecad 0.20\bin\dlls\libssl-1_1.dll
1.1.1.0 - c:\program files\freecad 0.20\bin\libcrypto-1_1-x64.dll
1.1.1.0 - c:\program files\freecad 0.20\bin\libssl-1_1-x64.dll
I don't know why the setup installs the versions 3.*, but it installs it.