OpenSSL Libraries Update Request

Hello,

 

I hope that you are doing well today.

 

I would like to provide a suggestion for inclusion with a future update to Freedome. I installed the 1.10.3502.0 update when it became available.

 

Currently Freedome includes library files from OpenSSL 1.0.1t (1.0.1.20)(dating back to 3rd May 2016).

The file names are (both files are 32 bit DLLs) located in the

 

C:\Program Files (x86)\F-Secure\Freedome\Freedome\1.1 folder:

 

libeay32.dll

ssleay32.dll

 

These 3rd party open source library contain one known high severity vulnerability (CVE-2016-6304) as listed on the following page:

 

https://www.openssl.org/news/vulnerabilities.html

 

According to the following OpenSSL blog post and security advisory, the 1.0.1 version of OpenSSL has ceased receiving security updates as of December 31st 2016:

 

https://www.openssl.org/blog/blog/2014/12/23/the-new-release-strategy/

 

https://www.openssl.org/news/secadv/20170126.txt

 

The Python Foundation released Python 2.7.12 in June 2016 also updated to OpenSSL 1.0.2h and again in December 2016 to 1.0.2j with Python 2.7.13.

 

Directory Opus also updated its version of the included OpenSSL libraries to a version after the Heartbleed flaw was resolved 1.0.1.7 (1.0.1g)(dated April 2014) and again in Mach 2015 to version 1.0.2a. They acknowledged that it was not possible to exploit this well-known flaw within their application but patched it simply for thoroughness.

 

For the above reasons I would hope that you will consider updating this 3rd party library to a newer version and continue to update it as new versions are made available (as the other vendors mentioned above already do).

 

Thank you for your time. Have a good day.

Best Answer

Comments

  • LakshLaksh Posts: 4,439 Community Manager

    Hi AJB4793,

     

    Thanks for your detailed feedback. I will take it to the Freedome team and will keep you posted if there is an input.

     

  • Hi Laksh,

     

    Many thanks for your quick response. I really appreciate you bringing this to the attention of the Freedome team.

This discussion has been closed.