[openssl-dev] [openssl.org #3691] Wishlist: separate strings for libcrypto and libssl
noloader@gmail.com via RT
rt at openssl.org
Mon Feb 9 16:11:42 UTC 2015
A while back, Google started flagging software in Google Play for
providing what it believed to be vulnerable versions of OpenSSL. See,
for example, "Security Alert: You are using a highly vulnerable
version of OpenSSL,"
https://groups.google.com/d/msg/android-security-discuss/o3ymXQjdQLI/3Ssoa47R_IYJ.
Google issued the notices based on the presence OpenSSL strings.
According to the folks on the Android Security team, they based it on
(https://groups.google.com/d/msg/android-security-discuss/o3ymXQjdQLI/KianK6PIIagJ):
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
I had software caught up in that because libssl and libcrypto do not
provide separate strings. That is, libssl was vulnerable, libcrypto
was OK, but there was no way to differentiate between use of of the
two libraries.
Please consider providing separate strings for libssl and libcrypto so
third party policing actions can be more surgical.
More information about the openssl-dev
mailing list