I use cocos2dx3.0-final to make my game and published to Google Play store
Today I receive mail from Google Play.
Hello,
One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.
Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
Regards,
Google Play Team
I have the same e-mail today. I think this issue has something to do with curl being compiled using OpenSSL. I think there’s a need to recompile that library using latest OpenSSL version. I’ll wait for more replies here.
Checked on other sites and others are claiming that they also got similar emails from Google. They say that it could be 3rd party SDK using OpenSSL that’s causing this.
I’m using cocos2d-x 2.x version, Ad Mob, Google Play Services and EziSocial Facebook Integration library. I would appreciate if someone from cocos2d-x core team can confirm if this is an engine issue or not.
Can you give more detail instruction how to build it?
I think it’s a serious issue for all cocos2dx games and expected a simple way to patch this SSL security problem (e.g. update the libcurl.a) for all difference cocos2dx versions. Because some games are still running old version of cocos2dx.
@zhangxm I uploaded an APK with your precompiled libs and my update went through fine.
*Btw: You can verify the version of openSSL your app is running by using BlueBox’s Heartbleed Scanner. Ignore the “Passed” indicator, as this new vulnerability isn’t Heartbleed – we’re just looking at the version number here: compare the version of your ssl before and after you replace it with @zhangxm 's static lib. *
@forget721
We will update iOS lib today or tomorrow.
Now iOS and Android is in different repo. And because curl building is complex, we will try to unify them and add a link here.