[Resolved] Security problem with OpenSSL, app can be removed on Google Play whenever


#21

I dont know exactly how to upgrade the fix. I am using cocos2d-x-2.2.3, now to update this issue, what folder i will copy and replace to cocos2d-x-2.2.3?


#22

Interestingly, I used the suggested app to test mine and all of them passed even though they are listed as using OpenSSL 1.0.0 (it did say “heartbeats: off”). I wonder if Google just saw that it was using an old version and flagged it regardless of whether it was actually an issue.


#23

I edited my post to make it more clear, but this new vulnerability Google flags as dangerous isn’t Heartbleed. We’re just using that app to get the version number of SSL to verify that a high enough version (that fixes the issue) was bundled with the app.

tldr: ignore the “passed” flag.


#24

Which files should I update?


#25

We just received this warning for 4 of our android apps running cocos2d-x 2.2.1. However we have replaced the curl folder with the new .a files as in here http://cocos2d-x.org/news/286 . However the Heartbleed scanner still says 1.0.0a version (except for one app saying its 1.0.1h).
Had tried cleaning/deleting files and rebuilding multiple times in android but the remaining 2 apps still shows 1.0.0a.

Any help?


#26

I am facing the same issue as @Smartgames.

Get the following result:
OpenSSLDie
DH_OpenSSL
DSA_OpenSSL
ECDH_OpenSSL
ECDSA_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
UI_OpenSSL
could not parse PKCS12 file, check password, OpenSSL error %s
OpenSSL/%lx.%lx.%lx%s
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL 1.0.0a 1 Jun 2010
OpenSSL default
OpenSSL PKCS#3 DH method
OpenSSL DH Method
OpenSSL DSA method
OpenSSL ‘dlfcn’ shared library method
OpenSSL EC algorithm
OpenSSL ECDH method
OpenSSL ECDSA method
OpenSSL HMAC method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL RSA method
OpenSSL default user interface
AES part of OpenSSL 1.0.0a 1 Jun 2010
ASN.1 part of OpenSSL 1.0.0a 1 Jun 2010
Blowfish part of OpenSSL 1.0.0a 1 Jun 2010
Big Number part of OpenSSL 1.0.0a 1 Jun 2010
CONF_def part of OpenSSL 1.0.0a 1 Jun 2010
CONF part of OpenSSL 1.0.0a 1 Jun 2010
DES part of OpenSSL 1.0.0a 1 Jun 2010
libdes part of OpenSSL 1.0.0a 1 Jun 2010
Diffie-Hellman part of OpenSSL 1.0.0a 1 Jun 2010
DSA part of OpenSSL 1.0.0a 1 Jun 2010
^ECDH part of OpenSSL 1.0.0a 1 Jun 2010
ECDSA part of OpenSSL 1.0.0a 1 Jun 2010
EVP part of OpenSSL 1.0.0a 1 Jun 2010
lhash part of OpenSSL 1.0.0a 1 Jun 2010
MD4 part of OpenSSL 1.0.0a 1 Jun 2010
MD5 part of OpenSSL 1.0.0a 1 Jun 2010
PEM part of OpenSSL 1.0.0a 1 Jun 2010
RAND part of OpenSSL 1.0.0a 1 Jun 2010
RC2 part of OpenSSL 1.0.0a 1 Jun 2010
RC4 part of OpenSSL 1.0.0a 1 Jun 2010
RIPE-MD160 part of OpenSSL 1.0.0a 1 Jun 2010
RSA part of OpenSSL 1.0.0a 1 Jun 2010
SHA1 part of OpenSSL 1.0.0a 1 Jun 2010
SHA-256 part of OpenSSL 1.0.0a 1 Jun 2010
SHA-512 part of OpenSSL 1.0.0a 1 Jun 2010
Stack part of OpenSSL 1.0.0a 1 Jun 2010
TXT_DB part of OpenSSL 1.0.0a 1 Jun 2010
X.509 part of OpenSSL 1.0.0a 1 Jun 2010
SSLv2 part of OpenSSL 1.0.0a 1 Jun 2010
SSLv3 part of OpenSSL 1.0.0a 1 Jun 2010
TLSv1 part of OpenSSL 1.0.0a 1 Jun 2010


#27

Hi zhangxm,

I also tried all the things you mentioned.

  • Replaced the curl file.
  • Deleted/Added files and rebuilt.
    Uploaded the apk onto the google play store Account. But still it is showing the same error. Please help.

#28

Hi guys,

We updated openssl to v1.0.1j for libcurl in v3.4. You can find it in latest version of 3rd party bin.

As you can see, now there are 3 libs in curl folder.


#29

If the libcurl in v3.4 is working for you, please let me know.
Thanks.


#30

Hi ,

I have replaced my curl from the mentioned link :smile:


Also I replaced the new libs added in the curl.Now I have 3 libs in curl folder ,rebuilt the project but still getting the same SSL Error.
Here I am attaching the snapshot:


Google Play 60-day deadline for resolving OpenSSL vulnerabilities
#31

it works to me. mine is quick-cocos2dx 2.2.1 and first get warn from google play and i update the opelssl to v1.0.1h but it still get the warn. yesterday i get the v1.0.1j and pass the google play. thx