Openssl issue CVE-2024-4741,CVE-2024-4603 and CVE-2024-2511 with Ncpa fo windows 3.1.0 #1176
Comments
BlYuzucorp
changed the title
BlYuzucorp
changed the title
BlYuzucorp
changed the title
|
This wouldn't be isolated to Windows, since NCPA does a private bind of the a few libraries and doesn't use the ones in the general linux distribution the agent is installed on. It should be a priority if there are unresolved CVEs in the current NCPA version. |
Not sure we are talking about he same thing. i speak about windows edition not linux edition of the package. SO the 3.0.14 library you bind had an issue with security. |
|
Yes, we are. I'm saying the security issue you mention wouldn't be isolated to the Windows NCPA version. |
|
" ..It should be a priority if there are unresolved CVEs in the current NCPA version. .." i's a quite hard to understand. CVE described an issue with the current version and recommand to upgrade to new one. So why is not a priority ? |
|
FYI, there's also plenty of CVEs to the OpenSSL packaged with it (as far as I understand it comes with python) and the packaged version of OpenSSL is EOS according to MS Defender |
|
Is there any update on a updated package for resolving all the current CVE issues? |
|
yes 3.0.14 : https://www.openssl.org/news/vulnerabilities.html |
|
and 3.0.15 for new CVE-2024-5535 |
|
@BlYuzucorp My statement wasn't directed to you but the NCPA package maintainers in regards to getting an updated NCPA package. |
|
@MrPippin66 |
|
Thanks for the update. I'm holding off doing our 3.1 rollout pending this being resolved. |
|
Since the addition of OpenSSL 3 in Python, our Windows version of NCPA uses the OpenSSL version bundled into the Python release. As of this moment, Python 3.13 is in beta and the latest 3.12 (3.12.4) is built with OpenSSL 3.0.13 (the version currently in NCPA 3.1.0), so the Windows build is blocked on that front until Python updates the version that they're using. There was a version of the windows build that I had made that downloaded and built Python from source with a custom version of OpenSSL, but I would have to dig that up and update it to work with the current version of NCPA. On the Linux front, we could update to use OpenSSL 3.0.14, but 3.0.15 isn't available from the OpenSSL website and I haven't looked into getting OpenSSL 3.3 working with NCPA. I am out for the next week, but I can look a little closer when I get back. |
|
Openssl 3.0.14 does include the fixes involved in the main part of this issue.
So those can be resolved in the Linux side. Clearly doesn't address the Windows side of these CVEs. And it's still desirable to address the python ssl module issue, if possible. CVE-2024-0397. (if not already addressed) |
|
Is any progress being made on this? |
Yes. Sorry for the wait, I've been out of town. We will be moving into QA shortly on NCPA 3.1.1, which will update the Linux version to use OpenSSL 3.0.15 and the Windows build's Python version to 3.12.5. |
|
Thanks for the update |
Sorry to push, but is there any ETA on a possible linux release to address the OpenSSL issues? |
We should be releasing NCPA 3.1.1 early next week. |
|
That's a good news. Just for info, Python released version 3.12.6 for openssl issue. |
Hi,
You use risk openssl lib : c:\program files\nagios\ncpa\lib\libcrypto-3.dll and c:\program files\nagios\ncpa\lib\libssl-3.dll.
You use 3.0.13 and need to be upgraded to 3.0.14.
Thks
The text was updated successfully, but these errors were encountered: