ijkplayer icon indicating copy to clipboard operation
ijkplayer copied to clipboard

Published 20 hours ago verified publisher icon bilibili

openssl 1.0.2版本过低

Open a174232 opened this issue 5 years ago • 5 comments

目前ssl 1.0.2n版本检测出3个cve漏洞,麻烦修复,漏洞描述如下: CVE-2018-0732 Date 2018-06-12 – CVSS v3 Base Score: 7.5 – Exact match During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). 在使用基于DH(E)的密文套件进行TLS握手时,恶意服务器可以向客户端发送非常大的初始值。这将导致客户端花费不合理的长时间为这个prime生成密钥,导致挂起,直到客户端完成。这可以在拒绝服务攻击中加以利用。固定在OpenSSL 1.1.0i-dev(影响1.1.0-1.1.0h)。固定在OpenSSL 1.0.2p-dev(影响1.0.2-1.0.2o)。 CVE-2018-0739 Date 2018-03-27 – CVSS v3 Base Score: 6.5 – Exact match Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). 在使用基于DH(E)的密文套件进行TLS握手时,恶意服务器可以向客户端发送非常大的初始值。这将导致客户端花费不合理的长时间为这个prime生成密钥,导致挂起,直到客户端完成。这可以在拒绝服务攻击中加以利用。固定在OpenSSL 1.1.0i-dev(影响1.1.0-1.1.0h)。固定在OpenSSL 1.0.2p-dev(影响1.0.2-1.0.2o)。 CVE-2018-0737 Date 2018-04-16 – CVSS v3 Base Score: 5.9 – Exact match The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o). OpenSSL RSA密钥生成算法已被证明易受缓存定时侧通道攻击。在RSA密钥生成过程中,能够充分访问挂载缓存定时攻击的攻击者可以恢复私钥。固定在OpenSSL 1.1.0i-dev(影响1.1.0-1.1.0h)。固定在OpenSSL 1.0.2p-dev(影响1.0.2b-1.0.2o)

a174232 avatar Dec 25 '18 07:12 a174232

我们会尽快升级。 目前开发者可以通过修改编译脚本https://github.com/Bilibili/ijkplayer/blob/master/init-android-openssl.sh#L22 https://github.com/Bilibili/ijkplayer/blob/master/init-ios-openssl.sh#L21 的版本号进行升级并重新编译,最新的版本是OpenSSL_1_0_2q

ctiao avatar Dec 25 '18 09:12 ctiao

compile 'tv.danmaku.ijk.media:ijkplayer-java:0.8.8' 用这种方式直接引入的无法修改是吗?得文件下来后手动编译才可以?

a174232 avatar Dec 25 '18 09:12 a174232

@a174232 请升级到1.0.2q

Android4MediaPlayer avatar Dec 27 '18 05:12 Android4MediaPlayer

最新的是否能升级到1_0_2r?又出现了新的安全漏洞,提示需要升级到1_0_2r版本

a174232 avatar Mar 06 '19 01:03 a174232

来试试这个,拿NDK21编译,支持Clang构建,openssl 1.1.1o,linux开多线程,https://github.com/hydrogenium2020-offical/ijkplayer

hydrogenium2020-offical avatar Jun 10 '22 03:06 hydrogenium2020-offical