[openssl-dev] [openssl.org #3691] Wishlist: separate strings for libcrypto and libssl
Richard Levitte via RT
rt at openssl.org
Mon Feb 9 16:33:54 UTC 2015
On Mon Feb 09 17:11:39 2015, noloader at gmail.com wrote:
> Google issued the notices based on the presence OpenSSL strings.
> According to the folks on the Android Security team, they based it on
> (https://groups.google.com/d/msg/android-security-
> discuss/o3ymXQjdQLI/KianK6PIIagJ):
>
> $ unzip -p YourApp.apk | strings | grep "OpenSSL"
That's not what Eric Davis says in that thread, is it? What I'm reading is that
you can figure which of your applications uses OpenSSL by running that command.
> I had software caught up in that because libssl and libcrypto do not
> provide separate strings. That is, libssl was vulnerable, libcrypto
> was OK, but there was no way to differentiate between use of of the
> two libraries.
>
> Please consider providing separate strings for libssl and libcrypto so
> third party policing actions can be more surgical.
I have a question, why don't you follow Eric's advice? In the thread mentioned
above, he also says this:
Eric> (2) Please update all statically linked versions of OpenSSL to 1.0.1h,
1.0.0m, or 0.9.8za. Eric> (3) If you are using a 3rd party library that bundles
OpenSSL, please notify the 3rd party and work with them to address this.
So either you or possible 3d party providers will have to upgrade OpenSSL,
that's what Eric is telling you.
If the OpenSSL you have and the OpenSSL that the 3rd party are upgraded to the
versions Eric mentions or later ones, then maybe that should be mentioned to
Google.
Asking us to change all strings to not include "OpenSSL" isn't reasonable.
--
Richard Levitte
levitte at openssl.org
More information about the openssl-dev
mailing list