Hi Todd, We have updated the OpenSSL version to 1.0.1s, and the patch will be included in the next LiveCode release (6.7.11-rc-1 / 7.1.4-rc-1 . 8.0.0-dp-17).
Best regards, Panos -- On Thu, Mar 31, 2016 at 10:03 PM, Todd Fabacher <tfabac...@gmail.com> wrote: > Here is the email > > > Hello Google Play Developer, > > Your app(s) listed at the end of this email utilize a version of OpenSSL > that contains one or more security vulnerabilities. If you have more than > 20 affected apps in your account, please check the Developer Console > < > https://www.google.com/appserve/mkt/p/fjei2Ep_bOBlYuDc6w9bmNJq7yf2tJoxDhZCISvC3oPBU402G0KdpugkDbaYNCNfFe5Krmc= > > > for > a full list. > > *Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as > possible and increment the version number of the upgraded APK.* Beginning > July 11, 2016, Google Play will block publishing of any new apps or updates > that use older versions of OpenSSL. If you’re using a 3rd party library > that bundles OpenSSL, you’ll need to upgrade it to a version that bundles > OpenSSL 1.02f/1.01r or higher. > > The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. The latest > versions of OpenSSL can be downloaded here > < > https://www.google.com/appserve/mkt/p/cYEKsNY1EXxMUibx1g5wXFqEUJug2qxAljz5dcjw0FdtOCzzVgES3UnVMg3NZzg= > >. > To confirm your OpenSSL version, you can do a grep search for ($ unzip -p > YourApp.apk | strings | grep "OpenSSL"). > > To confirm you’ve upgraded correctly, submit the updated version to the > Developer Console and check back after five hours. If the app hasn’t been > correctly upgraded, we will display a warning. > > The vulnerabilities include "logjam > < > https://www.google.com/appserve/mkt/p/wwzjM8dOQQABsjZHsmizCbtZBSy8QLOCS_zC_JwDzZFu8t3E > >" > and CVE-2015-3194 > < > http://www.google.com/appserve/mkt/p/5Fet4eNQpubmLcdcsDLDxQVC3cpQIobX-ZpnUbOEzQ-ef8eBEX8b3UwbW-2vkf0uOl4MxDC_ybcHvx-9tuf2bvBKMB1VVG-jISB4iU8SW3IZDl956lVV1NcKOGImM_eDDfVPYU7DHSCeP6NAKczWI21Zwhb26nmp1L7at28gjcE= > >. > The Logjam attack allows a man-in-the-middle attacker to downgrade > vulnerable TLS connections to 512-bit export-grade cryptography. This > allows the attacker to read and modify any data passed over the connection. > Details about other vulnerabilities are available here > < > https://www.google.com/appserve/mkt/p/SaM0ZeGJS3KDm1_UVkqSocD06axb2Pnx2R11VGhz5ztJQm6xXXC69LkUGxikh7zJ2dtHtGx5iOgP9RIJjcHKsfY= > >. > For other technical questions, you can post to Stack Overflow > < > https://www.google.com/appserve/mkt/p/eMKFo3KVNtsXJIz_0hnZoToX-cCMUIa3k-i9378x7adhWusHjYDL83SZltgBexcJz0z-o_wtJh0= > > > and > use the tags “android-security” and “OpenSSL.” > > While these specific issues may not affect every app that uses OpenSSL, > it’s best to stay up to date on all security patches. Apps with > vulnerabilities that expose users to risk of compromise may be considered > in violation of our Malicious Behavior policy > < > https://www.google.com/appserve/mkt/p/8Ke0G-Rjrwg2kyNAeVDUbN-PtGFFtm0XwcheZ2wPcRjpI-4yIcgkVmqu_o7W8H3w320ruNzsFnZ5FixHl7DH5uUdtapHi5ZFg_iDtWKQrzqSmvgWhgQEjBeOQQ== > > > and > section 4.4 > < > https://www.google.com/appserve/mkt/p/J66OFIBf3DgWBKNfQlTjy5x6M2_SVA1zJopao2l5WkqBG5pKvFHNIi1_lvTYpP-Fk6QzgzQ4loBrQyIR6D6zfqLPoFqA4KPgLNnhOoCZz1DZ9c9vfHwvA3JYPTs6DRE= > > > of > the Developer Distribution Agreement. > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode