Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-46265

Qt use vunerable openssl versions

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 5.4.2
    • 5.4.1
    • Network: SSL
    • None
    • Android
    • 7a4f3645f44bae78987facbf4e39231d0d2882ef

    Description

      We receive an email from Google telling us that we our application is linked to a version of OpenSSL that will be refused at the next update submission.

      Qt Network component should be statically linked to a fixed version of OpenSSL.


      Copy of the Google's email :
      We wanted to let you know that your app(s) listed below statically link against a version of OpenSSL that has multiple security vulnerabilities for users. Please migrate your app(s) to an updated version of OpenSSL within 60 days of this notification. Beginning 7/7/15, Google Play will block publishing of any new apps and updates that use older, unsupported versions of OpenSSL (see below for details).

      REASON FOR WARNING: Violation of the dangerous products provision of the Content Policy and section 4.4 of the Developer Distribution Agreement.

      The vulnerabilities were fixed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via: $ unzip -p YourApp.apk | strings | grep "OpenSSL"

      For more information about the vulnerability, please see this OpenSSL Security Advisory. To confirm that you’ve upgraded correctly, upload the updated version of the app(s) to the Developer Console and check back after five hours. For other technical questions about managing OpenSSL, please see https://groups.google.com/forum/#!forum/mailing.openssl.users.

      In 60 days, we will not accept app updates containing the vulnerabilities. In addition, we will reject new apps containing the vulnerabilities.

      Note: while the issues may not affect every app that uses OpenSSL versions prior to 1.0.1h, 1.0.0m, or 0.9.8za, developers should stay up to date on all security patches. Even if you think that specific issues may not be relevant, it's good practice to update any libraries in your app that have known issues. Please take this time to update apps that have out-of-date dependent libraries or other vulnerabilities.

      Before publishing applications, please ensure your apps’ compliance with the Developer Distribution Agreement and Content Policy. If you feel we have sent this warning in error, visit this Google Play Help Center article.

      Regards,
      Google Play Team

      Attachments

        Issue Links

          is required for

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-44881 Issues to be fixed before 5.4.2

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-43429 [Android] Qt apps are suspected by Google Play of using an outdated version of OpenSSL

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed
          For Gerrit Dashboard: QTBUG-46265
          # Subject Branch Project Status CR V
          112965,2 Avoid false positives from google by storing OpenSSL version as Unicode. 5.4.2 qt/qtbase Status: MERGED +2 0

          Activity

            People

              richmoore Richard Moore (qtnetwork)
              flamaros Xavier Bigand
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes