HeidiSQL 12.8.0.6908 contains vulnerable OpenSSL DLLs

### Description

### What where you trying to do?
Identifying applications in use in our organisation containing vulnerable 3rd party components which affect our organisations vulnerability risk / score

### What actually happened?
I have identified that the latest HeidiSQL installer v12.8.0.6908 contains OpenSSL v1.1.1s and v3.1.5 DLLs
OpenSSL v1.1.1s is vulnerable to at least 16 CVEs (The highest severity is HIGH).
OpenSSL v3.1.5 is vulnerable to at least 5 CVEs (1 MODERATE severity & 4 LOW severity).

With HeidiSQL installed for all users (in C:\Program Files\HeidiSQL), using the following PowerShell, here is the evidence:
```
cd 'C:\Program Files\HeidiSQL\'
Get-ChildItem *libcrypt*.dll,*libssl*.dll,*openssl.exe,heidisql.exe -Recurse -Force -ErrorAction SilentlyContinue | Select-Object * -ExpandProperty versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename,FileDescription,CompanyName,LegalCopyright | ft -auto
```
**Results:**
```
ProductVersion FileVersionRaw FileName                                        FileDescription CompanyName                                   LegalCopyright
-------------- -------------- --------                                        --------------- -----------                                   --------------
               12.8.0.6908    C:\Program Files\HeidiSQL\heidisql.exe
1.1.1s         1.1.1.19       C:\Program Files\HeidiSQL\libcrypto-1_1-x64.dll OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2022 The OpenSSL Authors. All rights reserved.
1.1.1s         1.1.1.19       C:\Program Files\HeidiSQL\libssl-1_1-x64.dll    OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2022 The OpenSSL Authors. All rights reserved.
3.1.5          3.1.5.0        C:\Program Files\HeidiSQL\libcrypto-3-x64.dll   OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
3.1.5          3.1.5.0        C:\Program Files\HeidiSQL\libssl-3-x64.dll      OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
```

As OpenSSL release new versions from time to time to fix published CVEs, it is important that software vendors keep any 3rd party components (OpenSSL DLLs in this case) up to date to prevent these vulnerabilities giving malicious code an access point.

The most recent OpenSSL release was on the 3rd September (v3.0.15, v3.1.7, v3.2.3 and v3.3.2) to fix some recently published CVEs
Full List of OpenSSL Vulnerabilities: https://openssl-library.org/news/vulnerabilities/
OpenSSL v1.1.1 is now end of life so should no longer be used (although security updates are available for customers with a [premium level support agreement](https://openssl-corporation.org/support/))

### What did you expect to happen?
Please remove OpenSSL v1.1.1 from the HeidiSQL product and update to v3.1.7 (or either v3.2.3 or v3.3.2)

### HeidiSQL version

12.8.0.6908

### Database server version

-

### Error/Backtrace

```shell
n/a
```


### Reproduction recipe

PowerShell evidence:
```
cd 'C:\Program Files\HeidiSQL\'
Get-ChildItem *libcrypt*.dll,*libssl*.dll,*openssl.exe,heidisql.exe -Recurse -Force -ErrorAction SilentlyContinue | Select-Object * -ExpandProperty versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename,FileDescription,CompanyName,LegalCopyright | ft -auto
```
**Results:**
```
ProductVersion FileVersionRaw FileName                                        FileDescription CompanyName                                   LegalCopyright
-------------- -------------- --------                                        --------------- -----------                                   --------------
               12.8.0.6908    C:\Program Files\HeidiSQL\heidisql.exe
1.1.1s         1.1.1.19       C:\Program Files\HeidiSQL\libcrypto-1_1-x64.dll OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2022 The OpenSSL Authors. All rights reserved.
1.1.1s         1.1.1.19       C:\Program Files\HeidiSQL\libssl-1_1-x64.dll    OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2022 The OpenSSL Authors. All rights reserved.
3.1.5          3.1.5.0        C:\Program Files\HeidiSQL\libcrypto-3-x64.dll   OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
3.1.5          3.1.5.0        C:\Program Files\HeidiSQL\libssl-3-x64.dll      OpenSSL library The OpenSSL Project, https://www.openssl.org/ Copyright 1998-2024 The OpenSSL Authors. All rights reserved.
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

HeidiSQL 12.8.0.6908 contains vulnerable OpenSSL DLLs #2022

Description

What where you trying to do?

What actually happened?

What did you expect to happen?

HeidiSQL version

Database server version

Error/Backtrace

Reproduction recipe

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

HeidiSQL 12.8.0.6908 contains vulnerable OpenSSL DLLs #2022

Description

Description

What where you trying to do?

What actually happened?

What did you expect to happen?

HeidiSQL version

Database server version

Error/Backtrace

Reproduction recipe

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions