NCPA RHEL 9 OpenSSL Vul Alerts

[EchoKev]

Hello,

We are getting alot of OpenSSL alerts due to the OpenSSL libraries that seem to be bundled in the NCPA repo packages.From Nessus, these alerts are now ranging from Critical, High, and Medium. Is there any way to get this package rebuilt with the latest libraries, or maybe get it to have a dependency on openssl on the system itself, instead of bundling it?

[jmichaelson]

Hi @echokev, which version of NCPA are you seeing this in?

[bbahn]

Hello @EchoKev,

NCPA 3.1.1 contains an update to OpenSSL (updates to 3.0.15) for Linux builds. If you have need of fixing this issue prior to the 3.1.1 release and you have a spare VM or machine to use as a build machine, you can build NCPA for Linux with your choice of OpenSSL version (so long as it's provided by openssl.org). This can be accomplished by cloning the NCPA github repo and editing line 7 of ncpa/build/build.sh from 3.0.13 to 3.0.15 and then running build.sh.

Note that builds of NCPA are not backwards-compatible in regards to OS, so if you want a build to run on Ubuntu 22 and 24, you will have to build it on Ubuntu 22 or an earlier compatible version of Ubuntu/Debian. The same is true for Fedora distributions.

[EchoKev]

Hi @echokev, which version of NCPA are you seeing this in?

We are seeing this in the 3.1.0 version for Red Hat 9

[EchoKev]

Tennable Nessus is rating the openSSL library as being a Critical level issue.

[DoubleDoubleA]

Hi @EchoKev,

We plan to release NCPA 3.1.1 to fix this and couple of other issues next week.

Aaron

[EchoKev]

@DoubleDoubleA That's great to hear!

Thanks!