CVEs in GMSEC 4.9.1 Distribution

[wardev]

File [1] contains openssl binaries. Since it was compiled around June 8, 2021 many vulnerabilities have been found in the binaries that NASA is distributing. See [2]. It appears the NASA distributed binaries are vulnerable to: CVE-2023-4807, CVE-2023-3817, CVE-2023-3446, CVE-2023-2650, CVE-2023-0465, CVE-2023-0464, CVE-2023-0286, etc. Some of these the OpenSSL project considers high severity.

See also #31 for fixing the build of the support binaries to avoid redistributing OpenSSl.

[1] https://github.com/nasa/GMSEC_API/releases/download/API-4.9.1-release/SUPPORT.zip

[2] https://www.openssl.org/news/vulnerabilities-1.1.1.html

[dmwhitne-583]

The SUPPORT.zip has been updated for releases 4.9.1, 5.0, and 5.1. The ActiveMQ CMS library, for each respective system supported by GMSEC, with the exception of Windows, will now rely on the system-provided Apache Runtime Portable (APR) and OpenSSL.