OpenSSL 9.8 is the copy used by the integrated PHP. 4D is not using PHP in the context of a public web server. it has no impact on security.
I wasn't aware of jQuery, but it looks like the welcome dialog uses it. again, it has no impact on security. --- as for keeping the libraries up-to-date: 4D already does that for the core libraries that has actual impact on security, for the server, encryption, and hash features. the OpenSSL library used by 4D itself is updated with every other R release. (see release notes) 17R2 is OpenSSL 1.0.2n 7 Dec 2017 same for 17.0 HF4 16R6 is OpenSSL 1.0.2h 3 May 2016 15R5 is OpenSSL 1.0.1p 9 Jul 2015 but I am not sure if the same should be done for parts that are irrelevant to security, such as the welcome dialog or PHP Execute. --- how a certain validation tool defines security is outside 4D's control. but you can decide to add any third party code to your 4D application in your built product, so it seems reasonable that you should just update the libraries yourself in this instance, in order to satisfy those tools that does a blanket check on the versions of known libraries. > 2018/11/25 21:37、Carl Aage Wangel via 4D_Tech <[email protected]>のメール: > > I have created a desktop application (stand-alone application, Windows). I > use Install Shield Express to create a setup.exe file so potential buyers > can download from my web page. Testing it out on a separate PC with Norton > Security install, the setup.exe file is declared a security risk and is > deleted. Norton Security is also installed on the PC where the Desktop > application is developed. > > I ran FlexNet Code Aware on the Desktop application (developer PC) and > several issues came up. It appears 4D is using OpenSSL v0.9.8 several places > in this compiled version and OpenSSL v1.0.2k. OpenSSL v0.9.8r has security > issues considered high risk. There is a security issue with OpenSSL v1.0.2k > as well, but a lover risk. Latest version is 1.1.x > > 4D also appear to be using jQuery v1.6.1. This version is open for > cross-site scripting and the version is deprecated. Latest version is v3.x > > If FlexNet Code Aware is correct I think it would be appropriate for 4D to > update these element, so that potential buyer of a Desktop application is > not scared away. ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:[email protected] **********************************************************************
