Re: [Interest] Google Play 60-day deadline for resolving OpenSSL vulnerabilities

[Jason H]

I just checked my own APK and we're linking against 1.0.1j, and I have NOT received the message you mention. So I would think that either you/Qt or Parse is linking against a vulrnable version. 

 

HTH

 

Sent: Thursday, May 07, 2015 at 4:54 PM
From: "Nuno Santos" <nunosan...@imaginando.pt>
To: "Interests Qt" <interest@qt-project.org>
Subject: Re: [Interest] Google Play 60-day deadline for resolving OpenSSL vulnerabilities

Hi,

 

I have just received this message from Google Play.

 

Since I haven’t linked with OpenSSL explicitly, is there any chance of this being an implicit link from Qt.

 

My app only links with Parse (1.3.0) regarding external libraries.

 

Does anyone else has received this message?

 

Thanks,

 

Regards,

 

Nuno

 

On 07/05/2015, at 21:49, Google Play Developer Support <noreply-developer-googlep...@google.com> wrote:

 

We wanted to let you know that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users. Please migrate your app(s) to an updated version of OpenSSL within 60 days of this notification. Beginning 7/7/15, Google Play will block publishing of any new apps and updates that use older, unsupported versions of OpenSSL (see below for details).

REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement.

The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via: $ unzip -p YourApp.apk | strings | grep "OpenSSL"

For more information about the vulnerability, please see this OpenSSL Security Advisory. To confirm that you’ve upgraded correctly, upload the updated version of the app(s) to the Developer Console and check back after five hours. For other technical questions about managing OpenSSL, please see https://groups.google.com/forum/#!forum/mailing.openssl.users.

In 60 days, we will not accept app updates containing the vulnerabilities. In addition, we will reject new apps containing the vulnerabilities.

Note: while the issues may not affect every app that uses OpenSSL versions prior to 1.0.1h, 1.0.0m, or 0.9.8za, developers should stay up to date on all security patches. Even if you think that specific issues may not be relevant, it's good practice to update any libraries in your app that have known issues. Please take this time to update apps that have out-of-date dependent libraries or other vulnerabilities.

Before publishing applications, please ensure your apps’ compliance with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, visit this Google Play Help Center article.

Regards,
Google Play Team

Affected application(s):

LK - Ableton Live Controller: com.imaginando.lk

©2015 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play Developer account.

_______________________________________________ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest

_______________________________________________
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest