search

negrutiu / nsis-nscurl

NSIS plugin with advanced HTTP/S capabilities
BSD 3-Clause "New" or "Revised" License
26 stars 7 forks source link

CyberSecurity vulnerabilities #12

Closed fkamming closed 2 months ago

fkamming commented 5 months ago

This plugin works great, but sadly it's a no-go for us due to security concerns.

Black Duck Binary Analysis reports critical and high severity vulnerabilities against nghttp2 1.3.6 (CVE-2015-8659 and CVE-2020-11080). Need to upgrade to 1.6.0 or later to address these. Latest version is 1.59.0.

Also OpenSSL 1.1.1 is out-of-support. Should be upgraded to 3.0 or 3.2.

negrutiu commented 5 months ago

The latest NScurl release is built with nghttp2/1.58.0 I'm not sure why Black Duck is reporting nghttp2 version 1.3.6, but it's obviously inaccurate.

As for openssl 1.1.1 I'm aware of its EOL and it's on my todo list to upgrade The main challenge for me is to build a binary that's backward compatible with ancient Windows builds (talking about NT 4, Win 2000...) I've had a few unsuccessful attempts to switch to 3.x but I'm not there yet.

fkamming commented 5 months ago

Thanks for the quick response.

In all likelihood BDBA reports the wrong version of nghttp2. I'll manually update the version number in BDBA which should get rid of the reported vulnerabilities. The outdated version of openssl I can live with for now.

Thank you again for creating and maintaining this great NSIS plugin.

negrutiu commented 2 months ago

FYI: openssl was upgraded ro version 3.3.0 in nscurl/1.2024.4.30 Enjoy!