I’ll believe it when I see it. Thanks for letting us know. 
2 Likes
Great. I’ll have something to look forward to in 2028.
1 Like
At this rate the fix will probably ship as soon as OpenSSL 3 goes end of life and 4 becomes the standard 
Running Zoom 6.0.10.39647 and it’s now OpenSSL 3.1.5
Check release notes for May 20, 2024 version 6.0.10 (39171)
Zoom has only got CVE-2024-4603 and CVE-2024-2511 against it now until they increase the dependency.
1 Like
We are now removing zoom client from our estate of nearly 30,000 machines as your responses are far from satisfactory e.g. commentry/acknowledgement on the cve and time to remmediate.
1 Like
6 weeks after Dante’s post and still no 6.1 release. looks like Zoom wants to wait to make sure we get something nice for Xmas instead 
i wonder how many people that have posted in this thread are at a different job/role right now compared to when they first posted.
it won’t be too long before someone makes a post in here asking for this to be fixed for the 3rd company/job they’re at where this still remains an issue.
1 Like
@donte.zoom - Please could you provide an update as to why the resolves haven’t been rolled out as promised in 6.1 today
1 Like
Anything? Anything at all?
Hello all, I have shared your concerns and am waiting for a response.
Please fix your dependent libraries. The openssl vulnerabilities are consistently at the top of the list of addressable items.
4 Likes
Zoom: This is unacceptable. It’s been many months now. Either fix it or explain the hold up!
3 Likes
28 Days Later
Great film….but thats the time we’ve waited for a reply
2 Likes
can’t even post replies to keep it live as they limit us to 3 posts per thread within a certain time frame
Even a fresh installation of version 5.17.1 (28914) still includes the outdated OpenSSL 3.1.1.0 binaries.
Still waiting on an update on progress here.
1 Like
Hi All,
Please upgrade to Zoom client version client version 6.1.0 or higher. We upgraded to openSSL library 3.1.5 in May so openSSL is no longer an issue.
Similarly client version 6.1.0 and up avoids CVE-2023-5678. On the other hand, I have confirmed with security engineering that CVE-2024-2511 and CVE-2024-4603 have no impact on the Zoom client, but am looking into a formal communications response to provide more clarity for client users.
2 Likes
The issue persists even after updating to version 6.1.6 !!!
1 Like
Hi @mohhusr which specifically is the issue for you? OpenSSL or CVE?
OpenSSL , the below files vulnerable
c:\program files\zoom\bin\libcrypto-3-zm.dll
c:\program files\zoom\bin\libssl-3-zm.dll
4 Likes
This issue is almost a year old and we are no nearer closing the gap at all.
How hard could it possibly be for a developer at Zoom to check upstream dependencies on a regular basis.
OpenSSL 3.1.6 was released on the 4th of June 2024 and 3.17 was released on the 3rd of September 2024.
I keep seeing a repeating pattern of Zoom not accurately declaring which CVE’s are backported (under the 3.1.5 version) from the OpenSSL 3.1.6 / 3.17 when they were still in WIP.
To be 100% clear, now that those versions are released, Zoom should have the 3.1.7 version code in the .dll files on all releases going forward.
Now that they are released Zoom should be monitoring the upstream vulnerability pages for security fix commits in the 3.1.8 branch etc.
The URL for convenience is… (replace SLASH with / as this page is blocked for me to post on the zoom online platform).
https:SLASHSLASHopenssl-library.orgSLASHnewsSLASHvulnerabilitiesSLASHindex.html
4 Likes