OpenSSL Libraries Update Request
Hello,
I hope that you are doing well today.
I would like to provide a suggestion for inclusion with a future update to Freedome. I installed the 1.10.3502.0 update when it became available.
Currently Freedome includes library files from OpenSSL 1.0.1t (1.0.1.20)(dating back to 3rd May 2016).
The file names are (both files are 32 bit DLLs) located in the
C:\Program Files (x86)\F-Secure\Freedome\Freedome\1.1 folder:
libeay32.dll
ssleay32.dll
These 3rd party open source library contain one known high severity vulnerability (CVE-2016-6304) as listed on the following page:
https://www.openssl.org/news/vulnerabilities.html
According to the following OpenSSL blog post and security advisory, the 1.0.1 version of OpenSSL has ceased receiving security updates as of December 31st 2016:
https://www.openssl.org/blog/blog/2014/12/23/the-new-release-strategy/
https://www.openssl.org/news/secadv/20170126.txt
The Python Foundation released Python 2.7.12 in June 2016 also updated to OpenSSL 1.0.2h and again in December 2016 to 1.0.2j with Python 2.7.13.
Directory Opus also updated its version of the included OpenSSL libraries to a version after the Heartbleed flaw was resolved 1.0.1.7 (1.0.1g)(dated April 2014) and again in Mach 2015 to version 1.0.2a. They acknowledged that it was not possible to exploit this well-known flaw within their application but patched it simply for thoroughness.
For the above reasons I would hope that you will consider updating this 3rd party library to a newer version and continue to update it as new versions are made available (as the other vendors mentioned above already do).
Thank you for your time. Have a good day.
Comments
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!