OpenSSL vulnerability

Report bugs and issues

OpenSSL vulnerability

Postby neilb » 2014-06-13 07:38

I just received an email from Google that was threatening to ban one or more Android apps due to SSL vulnerabilities.

They wouldn't tell me which apps, so I used a hearth bleed scanner and it flagged all my shiva apps as running a really old version of OpenSSL. The vulnerability dated 7 days ago, so it's very new.

I'm not 100% sure it's Shiva is the reason that Google flagged emailed me, but libssl is definitely shipping with all my shiva apps.

How can I update libssl to the latest version?

neilb
Platinum Boarder
Platinum Boarder
 
Posts: 463
Joined: 2010-04-23 14:41
Location: Adelaide, South Australia

Re: OpenSSL vulnerability

Postby NiCoX » 2014-06-13 10:16

User avatar
NiCoX
Administrator
Administrator
 
Posts: 5654
Joined: 2007-04-19 18:06
Location: France

Re: OpenSSL vulnerability

Postby feng3d » 2014-06-13 10:28

Hi,
I got the same mail.
Because I don't need SSL and I had removed the OpenSSL lib from my apps.
Is it ok?
feng3d
Expert Boarder
Expert Boarder
 
Posts: 145
Joined: 2009-12-19 12:12

Re: OpenSSL vulnerability

Postby broozar » 2014-06-13 13:02

User avatar
broozar
Administrator
Administrator
 
Posts: 4172
Joined: 2007-09-16 10:22
Location: Berlin - Germany

Re: OpenSSL vulnerability

Postby giggsy » 2014-06-13 13:18

giggsy
Platinum Boarder
Platinum Boarder
 
Posts: 1154
Joined: 2010-06-27 21:17
Location: Austria

Re: OpenSSL vulnerability

Postby Fraser » 2014-06-13 15:58

Fraser,
User avatar
Fraser
Platinum Boarder
Platinum Boarder
 
Posts: 1324
Joined: 2012-02-05 19:28
Location: Europe

Re: OpenSSL vulnerability

Postby NiCoX » 2014-06-14 00:31

Hi all,

Please find the OpenSSL 1.0.1h compiled for Android:



The archive includes libcrypto and libssl for the arm-v5te, arm-v7a and x86 architectures.

The files must be renamed (by removing the architecture suffix) if you replace them in an existing Eclipse project, or if you just want to "unzip" the APK, replace the libs, and repack. For all new exports, just decompress the archive in the Android build directory, which is:

- on Mac OS X: /Path/To/ShiVa Authoring Tool.app/Contents/Resources/Data/Mac/Android/Build
- on Windows: /Path/To/ShiVa Authoring Tool/Data/Mac/Android/Build

Please let us know if you encounter problems, or if that just works!
User avatar
NiCoX
Administrator
Administrator
 
Posts: 5654
Joined: 2007-04-19 18:06
Location: France

Re: OpenSSL vulnerability

Postby kaxig » 2014-06-16 14:13

is there a way to validate the new functionality?
kaxig
Senior Boarder
Senior Boarder
 
Posts: 73
Joined: 2010-12-15 12:54

Re: OpenSSL vulnerability

Postby _geo_ » 2014-06-17 09:42

Thx for the fix.

We have implemented it and are currrently waiting for Google´s approval that it´s fixed. Https connections have been working fine so far, no problems on the functionality side.
fly yes, land no | | | |
_geo_
Gold Boarder
Gold Boarder
 
Posts: 201
Joined: 2010-10-30 14:32
Location: Austria

Re: OpenSSL vulnerability

Postby psychicsoftware » 2014-06-17 13:55

Thanks Nicox!

@Geo: what kind of verification from Google do you expect? They don't have any auditing of uploads do they?
Sam.
psychicsoftware
Platinum Boarder
Platinum Boarder
 
Posts: 355
Joined: 2010-10-10 14:36
Location: Galway, Ireland

Next

Return to Bugs

Who is online

Users browsing this forum: No registered users and 1 guest

cron