responses
does nxlog-2.9.1716 still uses LibExpat v2.0.1 and LibPCRE v8.02?
Impact:
LibPCRE v8.02 is vulnerable to DoS and code overflow.
LibExpat v2.0.1 has 4 publicly identified vulnerabilities.
References
https://www.cvedetails.com/vulnerability-list/vendor_id-12037/product_id-22545/version_id-129378/Libexpat-Expat-2.0.1.html
https://www.cvedetails.com/vulnerability-list/vendor_id-3265/product_id-5715/version_id-191791/Pcre-Pcre-8.02.html
is it possible to update LibExpat to v2.1.0 and LibPCRE to v8.39?
Comments (3)
thanks a lot for very quick reply.
i have submitted the request to download the trail version of enterprise edition. hope i will be able to download it soon.
in enterprise edition both libeay32.dll and ssleay32.dll are using old SLL versions. Also libpcre and libexpat are older versions.
C:\Program Files (x86)\nxlog>strings.exe libeay32.dll | findstr "OpenSSL"
OpenSSL: FATAL
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL 1.0.2a 19 Mar 2015
MD4 part of OpenSSL 1.0.2a 19 Mar 2015
MD5 part of OpenSSL 1.0.2a 19 Mar 2015
SHA part of OpenSSL 1.0.2a 19 Mar 2015
SHA1 part of OpenSSL 1.0.2a 19 Mar 2015
SHA-256 part of OpenSSL 1.0.2a 19 Mar 2015
SHA-512 part of OpenSSL 1.0.2a 19 Mar 2015
C:\Program Files (x86)\nxlog>strings.exe ssleay32.dll | findstr "OpenSSL"
SSLv2 part of OpenSSL 1.0.2a 19 Mar 2015
SSLv3 part of OpenSSL 1.0.2a 19 Mar 2015
TLSv1 part of OpenSSL 1.0.2a 19 Mar 2015
DTLSv1 part of OpenSSL 1.0.2a 19 Mar 2015
OpenSSL 1.0.2a 19 Mar 2015
OpenSSLDie
The OpenSSL Project, http://www.openssl.org/
OpenSSL shared library
The OpenSSL Toolkit
1998-2006 The OpenSSL Project. Copyright
Thanks for bringing this to our attention. There was a glitch in our CI system that didn't update the library files properly. This has been fixed and the NXLog Enterprise Edition trial is now using the following libraries: