flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frédéric THOMAS <webdoubl...@hotmail.com>
Subject RE: R: R: Alert from Google app store - vulnerable OpenSSL version
Date Fri, 13 Jun 2014 12:49:51 GMT
Well, later, they says:

- As it said in the mail from Google(http://www.openssl.org/news/secadv_20140605.txt), we
should upgrade the openssl to version 1.0.1h

answers:
- We are aware of openSSL 1.0.1h version and the updated AIR SDK will be available soon.
- For mobile applications the AIR SDK 14.0.0.110 is enough and you don't need to update the
openSSL on pc.
- The openSSL is bundled in the application so the captive application is also good to go.
- openSSL(1.0.1g) updates are in the Runtime currently. ADB is different and has no role here
to cause any vulnerability. 

If we look at the google play email they refer us to this url
https://www.openssl.org/news/secadv_20140605.txt
It says:

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.


OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.


Frédéric THOMAS

> From: webdoublefx@hotmail.com
> To: users@flex.apache.org
> Subject: RE: R: R: Alert from Google app store - vulnerable OpenSSL version
> Date: Fri, 13 Jun 2014 13:41:24 +0100
> 
> Yes, it seems to be correct, Adobe is updating its release note about it, see this post
[1] comments.
> 
> Frédéric THOMAS
> 
> [1] https://forums.adobe.com/message/6455251#6455251
> 
> > Subject: R: R: Alert from Google app store - vulnerable OpenSSL version
> > Date: Fri, 13 Jun 2014 11:11:19 +0200
> > From: f.demaddalena@patente.it
> > To: users@flex.apache.org
> > 
> > I've just compiled an apk with the latest version of AIR and in xxx.apk/lib/armeabi-v7a/libCore.so
I found the string "OpenSSL 1.0.1g".
> > In the older version of the same apk I found "OpenSSL 1.0.1e".
> > Is 1.0.1g the correct version of OpenSSL? I've updated AIR SDK two hours ago...
> > Sorry for my bad english
> > 
> > Federico
> > 
> > -----Messaggio originale-----
> > Da: Tom Chiverton [mailto:tc@extravision.com] 
> > Inviato: venerdì 13 giugno 2014 10:52
> > A: users@flex.apache.org
> > Oggetto: Re: R: Alert from Google app store - vulnerable OpenSSL version
> > 
> > On 13/06/14 09:20, Federico De Maddalena wrote:
> > > I received the same email...probably we have to recompile with the 
> > > latest version of air sdk 14 (14.0.0.110)
> > And as newer AIRs don't support Linux, that's the end of distributing AIR apps directly
from Linux :-/ Something else I need VirtualBox for I suppose !
> > 
> > Tom
 >  		 	   		  
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message