Closed fkamming closed 2 months ago
The latest NScurl release is built with nghttp2/1.58.0 I'm not sure why Black Duck is reporting nghttp2 version 1.3.6, but it's obviously inaccurate.
As for openssl 1.1.1 I'm aware of its EOL and it's on my todo list to upgrade The main challenge for me is to build a binary that's backward compatible with ancient Windows builds (talking about NT 4, Win 2000...) I've had a few unsuccessful attempts to switch to 3.x but I'm not there yet.
Thanks for the quick response.
In all likelihood BDBA reports the wrong version of nghttp2. I'll manually update the version number in BDBA which should get rid of the reported vulnerabilities. The outdated version of openssl I can live with for now.
Thank you again for creating and maintaining this great NSIS plugin.
FYI: openssl was upgraded ro version 3.3.0 in nscurl/1.2024.4.30 Enjoy!
This plugin works great, but sadly it's a no-go for us due to security concerns.
Black Duck Binary Analysis reports critical and high severity vulnerabilities against nghttp2 1.3.6 (CVE-2015-8659 and CVE-2020-11080). Need to upgrade to 1.6.0 or later to address these. Latest version is 1.59.0.
Also OpenSSL 1.1.1 is out-of-support. Should be upgraded to 3.0 or 3.2.