Vulnerable OpenSSL version
Closed this issue · 2 comments
aTalk uses vulnerable OpenSSL version 1.0.1j as you can see in
aTalk/jni/openssl/openssl.version
As a short term fix update to OpenSSL 1.0.2u
https://www.openssl.org/news/vulnerabilities.html
Because OpenSSL 1.0.2 was announced End-Of -Life please consider to upgrade to OpenSSL 1.1.1 series. This is a Long Term Support (LTS) version, supported until 11th September 2023.
https://www.openssl.org/source/
https://www.openssl.org/blog/blog/2019/11/07/3.0-update/
Please refer to the aTalk ReleaseNote, since aTalk version 1.8.3, it already uses openSSL v1.0.2r :
=========================================================================
Version: 1.8.3 (1083)
Author: cmeng
Upload Date: 05/23/2019
- Upgrade openssl jni library to 1.0.2r (1.0.2l)
To find out the exact openSSL version is being used in aTalk built, you need to refer to
aTalk/jni/Android.mk which is the script used to build all the aTalk jni libs i.e. The 1.0.1j source is there only for reference. aTalk actually uses the pre-built openSSL 1.0.2r *.a static libraries.
# ================================= OpenSSL ===========================================
### OpenSSL shared library build (source in jni/openssl)
# Contains both static libraries-1.0.2r pre-built on Ubuntu 18.04 and
# sources-1.0.1j from site (Android_src.mk - build has error using android studio ndk on Windows 7)
LOCAL_PATH := $(ROOT)
# https://github.com/aosp-mirror/platform_external_openssl/tree/android-5.1.1_r38
# Local AS NDK built from source (OPENSSL_VERSION=1.0.1j) - build ok on Ubuntu Android Studio
# include openssl/Android.mk
## Built static library from source (version 1.0.2r) on ubuntu 18.04
# Built from static library (unable to build from source - #TODO)
include openssl/Android_a.mk
aTalk v2.1.6 has upgraded openSSL to v1.0.2u