Well, later, they says: - As it said in the mail from Google(http://www.openssl.org/news/secadv_20140605.txt), we should upgrade the openssl to version 1.0.1h
answers: - We are aware of openSSL 1.0.1h version and the updated AIR SDK will be available soon. - For mobile applications the AIR SDK 14.0.0.110 is enough and you don't need to update the openSSL on pc. - The openSSL is bundled in the application so the captive application is also good to go. - openSSL(1.0.1g) updates are in the Runtime currently. ADB is different and has no role here to cause any vulnerability. If we look at the google play email they refer us to this url https://www.openssl.org/news/secadv_20140605.txt It says: The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h. Frédéric THOMAS > From: webdoubl...@hotmail.com > To: users@flex.apache.org > Subject: RE: R: R: Alert from Google app store - vulnerable OpenSSL version > Date: Fri, 13 Jun 2014 13:41:24 +0100 > > Yes, it seems to be correct, Adobe is updating its release note about it, see > this post [1] comments. > > Frédéric THOMAS > > [1] https://forums.adobe.com/message/6455251#6455251 > > > Subject: R: R: Alert from Google app store - vulnerable OpenSSL version > > Date: Fri, 13 Jun 2014 11:11:19 +0200 > > From: f.demaddal...@patente.it > > To: users@flex.apache.org > > > > I've just compiled an apk with the latest version of AIR and in > > xxx.apk/lib/armeabi-v7a/libCore.so I found the string "OpenSSL 1.0.1g". > > In the older version of the same apk I found "OpenSSL 1.0.1e". > > Is 1.0.1g the correct version of OpenSSL? I've updated AIR SDK two hours > > ago... > > Sorry for my bad english > > > > Federico > > > > -----Messaggio originale----- > > Da: Tom Chiverton [mailto:t...@extravision.com] > > Inviato: venerdì 13 giugno 2014 10:52 > > A: users@flex.apache.org > > Oggetto: Re: R: Alert from Google app store - vulnerable OpenSSL version > > > > On 13/06/14 09:20, Federico De Maddalena wrote: > > > I received the same email...probably we have to recompile with the > > > latest version of air sdk 14 (14.0.0.110) > > And as newer AIRs don't support Linux, that's the end of distributing AIR > > apps directly from Linux :-/ Something else I need VirtualBox for I suppose > > ! > > > > Tom >
