In Version 6.14.1 ParticularServiceControl RavenDb appears to have libssl-3-x64.dll as version 3.3.2 which is vulnerable to OpenSLL CVE-2025-15467. Do you know when this might be addressed in a future patch?
Hi @KPO
Unfortunately, there really isn’t much we can directly do about this. The OpenSSL library you’re seeing in ServiceControl comes from RavenDB.
Both the latest version of RavenDB 6.x which we use in ServiceControl and the very latest RavenDB 7.x version still have that same OpenSSL 3.3.2 version.
However, if you then take a look at the RavenDB codebase, they aren’t directly pulling in OpenSSL either. They have a dependency on the Confluent.Kafka package, and that has a dependency on the librdkafka.redist package.
That redist package is the source of the OpenSSL library that you are seeing. The latest versions of those packages (2.14.1) are the ones that are including the 3.3.2 OpenSSL library.
So, the librdkafka.redist repo needs to update the version of OpenSSL it uses, which would let the Confluent.Kafka repo be updated to use a new librdkafka.redist version.
Then when a new Confluent.Kafka package ships, RavenDB would need to update to it and ship a 6.x version that uses the new Confluent.Kafka package.
Once there’s a new 6.x RavenDB release, we could pull that into ServiceControl and ship that to you.