Dear Autodesk support team,
We are currently using Autodesk DWG Trueview 2025 version 25.0.116.0 on our clients. Our Microsoft MDE vulnerability scanner shows the following vulnerable files:
Location = C:\Program Files\Autodesk\AdODIS\V1\Setup\CER
C:\Program Files\Autodesk\AdODIS\V1\Setup\CER\libcrypto-3-x64.dll -> version = 3.0.13
C:\Program Files\Autodesk\AdODIS\V1\Setup\CER\libssl-3-x64.dll -> version = 3.0.13
I've installed now the latest DWG Trueview 2025 version which shows me version 25.0.154.0. I've checked the files again and now it's showing:
C:\Program Files\Autodesk\AdODIS\V1\Setup\CER\libcrypto-3-x64.dll -> version = 3.0.14
C:\Program Files\Autodesk\AdODIS\V1\Setup\CER\libssl-3-x64.dll -> version = 3.0.14
I've checked the openssl website: https://openssl-library.org/news/openssl-3.0-notes/
And see the following information:
Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024]
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this release is Moderate.
This release incorporates the following bug fixes and mitigations:
Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])
Question:
When will a version that is vulnerability free be released?
Thank you in advance!
Best regards,
Michaël