1

I'm developing an app with Android Crosswalk.

A few days ago, alert mail arrived from google play about a security issue of OpenSSL.

The method of verifying the version of OpenSSL was written to e-mail.

The vulnerabilities were addressed in OpenSSL versions beginning with 1.0.1h, 1.0.0m, and 0.9.8za. To confirm your OpenSSL version, you can do a grep via ("$ unzip -p YourApp.apk | strings | grep "OpenSSL""). For more information about the vulnerability, please consult http://www.openssl.org/news/secadv_20140605.txt.

But when unzip is run on Windows, an error is occurred("strings" is an invalid command).

Crosswalk's current version is 9.38.208.10. How can I verify OpenSSL is safe?

Tank2005
  • 899
  • 1
  • 14
  • 32

2 Answers2

3

Crosswalk is running an older version of OpenSSL. I work at Intel (on a different team) and we are aware of the issue and raising it with the Crosswalk team.

OpenSSL default user interface
OpenSSL 1.0.1e 11 Feb 2013
CRABOLO
  • 8,605
  • 39
  • 41
  • 68
Ian Maffett
  • 176
  • 3
  • Can I patch the openssl version myself? Are the beta/canary versions running a fixed openssl? – markmarijnissen Dec 19 '14 at 08:44
  • Chromium 39 (which Crosswalk 10 is based off) switched to BoringSSL . https://crosswalk-project.org/documentation/downloads.html You can download Crosswalk 10 beta and you will be fine. Thanks for taking the time to report this. – Ian Maffett Dec 19 '14 at 12:12
0

You should have the packages containing unzip, strings and grep installed in cygwin order for that command to work.

From the error message, looks like you're missing strings. Did you install the binutils package?

See http://cygwin.com/cgi-bin2/package-grep.cgi?grep=strings.exe

matiash
  • 54,791
  • 16
  • 125
  • 154
  • I have mistaken that "strings" is a parameter. The command was successful when binutils was installed. However, a version number is not found. – Tank2005 Dec 18 '14 at 07:26