Florian Sailer <[email protected]> writes: > i have an app in the play store based on Crosswalk Cordova 9 (Android, > ARM). > Yesterday i received the following warning form the store: [...] > Im having difficulties to figure out which piece of the stack is using > a statically linked version OpenSSL. > Could this warning actually be related to Crosswalk Cordova?
Answering here as well for posterity. The tracking bug for this issue is XWALK-3217. Long story short, until Crosswalk 9 the Chromium versions we built upon all used their own OpenSSL copy on Android (that's the part of the stack the warning is coming from). For Crosswalk 8 and 9, the OpenSSL version is 1.0.1e plus security fixes (such as the Heartbleed ones) backported from 1.0.1h. Since Chromium backported those fixes but did not update OpenSSL's version number, the Play Store consequently flagged Crosswalk-based apps as vulnerable. Starting with Crosswalk 10, we use a Chromium version that ships BoringSSL instead of OpenSSL, so the problem no longer exists. If you can, please move to Crosswalk 10 (it is currently in beta but expected to be moved to stable soon). If you cannot, you can submit an appeal to the Play Store if your app ends up being suspended (see the comments in XWALK-3217), since it is not actually vulnerable. _______________________________________________ Crosswalk-help mailing list [email protected] https://lists.crosswalk-project.org/mailman/listinfo/crosswalk-help
