OpenSSL. Libraries

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL. Libraries

frank.bumgarner
In loading the latest 4.2.2 release we have noticed you include the OpenSSL 0.9.8r libeay32 and ssleay32 libraries.  That version of OpenSSL has been identified to contain several (around 85) vulnerabilities.  The vulnerabilities listed include man-in-the-middle, access restriction, denial of service, and buffer overflow attacks our company is uncomfortable accepting.

Also the 9.00 versions of the MSVCM, MSCVP, and MSVCR libraries are no longer supported by Microsoft.

I am looking to find out if these libraries are scheduled to be upgraded to newer less vulnerable versions or removed in the near future.  If not, can you tell me in which use cases these libraries would be accessed.
_______________________________________________
Mercurial mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL. Libraries

Pascal Quantin
Hi Franck,

Le 7 sept. 2017 15:34, "frank.bumgarner" <[hidden email]> a écrit :
In loading the latest 4.2.2 release we have noticed you include the OpenSSL 0.9.8r libeay32 and ssleay32 libraries.  That version of OpenSSL has been identified to contain several (around 85) vulnerabilities.  The vulnerabilities listed include man-in-the-middle, access restriction, denial of service, and buffer overflow attacks our company is uncomfortable accepting.

If I remember correctly those dlls are used for the subversion bindings only.


Also the 9.00 versions of the MSVCM, MSCVP, and MSVCR libraries are no longer supported by Microsoft.

Unfortunately Python 2.7.x are built with this MSVC version, nothing we can do about.


I am looking to find out if these libraries are scheduled to be upgraded to newer less vulnerable versions or removed in the near future.  If not, can you tell me in which use cases these libraries would be accessed.

Unless someone feels courageous enough to rebuild the subversion / subvertpy bindings, an upgrade is a bit unlikely (I did this years ago and it was very painful). Note that I'm talking about the Inno Setup installer and you did not specify which Windows installer you were using.
As far as I can tell they are unused unless you use hgsubversion to interact with SVN repositories. Removing the subversion support from the builder removed those dlls from the installer, so my memory should be right.
Another possibility could be to stop releasing builds with SVN support, but it might make life difficult to some other users.
Did you check whether the same dlls are present in the .MSI installer? It is done by another team but I shared with them the subversion bindings years ago. I do not know if they still use it or not.

Best regards,
Pascal.

_______________________________________________
Mercurial mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL. Libraries

Steve Borho
On Thu, Sep 7, 2017 at 1:53 PM, Pascal Quantin <[hidden email]> wrote:

> Hi Franck,
>
> Le 7 sept. 2017 15:34, "frank.bumgarner" <[hidden email]> a écrit :
>
> In loading the latest 4.2.2 release we have noticed you include the OpenSSL
> 0.9.8r libeay32 and ssleay32 libraries.  That version of OpenSSL has been
> identified to contain several (around 85) vulnerabilities.  The
> vulnerabilities listed include man-in-the-middle, access restriction, denial
> of service, and buffer overflow attacks our company is uncomfortable
> accepting.
>
>
> If I remember correctly those dlls are used for the subversion bindings
> only.
>
>
> Also the 9.00 versions of the MSVCM, MSCVP, and MSVCR libraries are no
> longer supported by Microsoft.
>
>
> Unfortunately Python 2.7.x are built with this MSVC version, nothing we can
> do about.
>
>
> I am looking to find out if these libraries are scheduled to be upgraded to
> newer less vulnerable versions or removed in the near future.  If not, can
> you tell me in which use cases these libraries would be accessed.
>
>
> Unless someone feels courageous enough to rebuild the subversion / subvertpy
> bindings, an upgrade is a bit unlikely (I did this years ago and it was very
> painful). Note that I'm talking about the Inno Setup installer and you did
> not specify which Windows installer you were using.
> As far as I can tell they are unused unless you use hgsubversion to interact
> with SVN repositories. Removing the subversion support from the builder
> removed those dlls from the installer, so my memory should be right.
> Another possibility could be to stop releasing builds with SVN support, but
> it might make life difficult to some other users.
> Did you check whether the same dlls are present in the .MSI installer? It is
> done by another team but I shared with them the subversion bindings years
> ago. I do not know if they still use it or not.

Hello, the Mercurial MSI installers have never included the SVN
libraries, they were only included in TortoiseHg.  A few years back we
stopped including them in TortoiseHg as well (because of these
security concerns and other problems); they are available as a
separate download and I posted instructions for how to enable them.
See https://bitbucket.org/tortoisehg/thg/wiki/libsvn

--
Steve Borho
_______________________________________________
Mercurial mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL. Libraries

Pascal Quantin
In reply to this post by frank.bumgarner
Hi Steve,

Le 7 sept. 2017 21:19, Steve Borho <[hidden email]> a écrit :

On Thu, Sep 7, 2017 at 1:53 PM, Pascal Quantin <[hidden email]> wrote:
> Hi Franck,
>
> Le 7 sept. 2017 15:34, "frank.bumgarner" <[hidden email]> a écrit :
>
> In loading the latest 4.2.2 release we have noticed you include the OpenSSL
> 0.9.8r libeay32 and ssleay32 libraries.  That version of OpenSSL has been
> identified to contain several (around 85) vulnerabilities.  The
> vulnerabilities listed include man-in-the-middle, access restriction, denial
> of service, and buffer overflow attacks our company is uncomfortable
> accepting.
>
>
> If I remember correctly those dlls are used for the subversion bindings
> only.
>
>
> Also the 9.00 versions of the MSVCM, MSCVP, and MSVCR libraries are no
> longer supported by Microsoft.
>
>
> Unfortunately Python 2.7.x are built with this MSVC version, nothing we can
> do about.
>
>
> I am looking to find out if these libraries are scheduled to be upgraded to
> newer less vulnerable versions or removed in the near future.  If not, can
> you tell me in which use cases these libraries would be accessed.
>
>
> Unless someone feels courageous enough to rebuild the subversion / subvertpy
> bindings, an upgrade is a bit unlikely (I did this years ago and it was very
> painful). Note that I'm talking about the Inno Setup installer and you did
> not specify which Windows installer you were using.
> As far as I can tell they are unused unless you use hgsubversion to interact
> with SVN repositories. Removing the subversion support from the builder
> removed those dlls from the installer, so my memory should be right.
> Another possibility could be to stop releasing builds with SVN support, but
> it might make life difficult to some other users.
> Did you check whether the same dlls are present in the .MSI installer? It is
> done by another team but I shared with them the subversion bindings years
> ago. I do not know if they still use it or not.

Hello, the Mercurial MSI installers have never included the SVN
libraries, they were only included in TortoiseHg.  A few years back we
stopped including them in TortoiseHg as well (because of these
security concerns and other problems); they are available as a
separate download and I posted instructions for how to enable them.
See https://bitbucket.org/tortoisehg/thg/wiki/libsvn

Thanks for confirming. Then I guess I might have to do the same thing as TortoiseHg...

Pascal.

_______________________________________________
Mercurial mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial