openssl怎么总是有漏洞，最新的漏洞

Hello Google Play Developer,
Your app(s) listed at the end of this email utilize a version of OpenSSL that contains one or more security vulnerabilities. If you have more than 20 affected apps in your account, please check the Developer Console for a full list.

Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL. If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher.

The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. The latest versions of OpenSSL can be downloaded here. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep “OpenSSL”).

To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.

The vulnerabilities include “logjam” and CVE-2015-3194. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. Details about other vulnerabilities are available here. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “OpenSSL.”

While these specific issues may not affect every app that uses OpenSSL, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.

Apps must also comply with the Developer Distribution Agreement and Developer Program Policies. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.

我们用的1.01h，有一些3.0以下(2.2.3 2.2.2之类的)的项目收到了警告
libcurl 目前最新的也应该没到1.02f 或1.01r吧？
求破
我们是单机游戏，应该没用到libcurl，是引擎库自己用的，有办法删掉么？这已经不是一次漏洞了，我们项目众多，全升级一次太麻烦了

@偶尔e网事

同求啊，我也遇到这个问题了

我也今天也收到了，3.x项目有收到吗？
The vulnerabilities were addressed in OpenSSL 1.02f/1.01r。
1.02f和1.01r容易受到攻击

4444 2016-Mar-01 13:54:09 openssl-1.0.1s.tar.gz (SHA256) (PGP sign) (SHA1)
5142 2016-Mar-01 13:54:09 openssl-1.0.2g.tar.gz (SHA256) (PGP sign) (SHA1)
难不成需要编译一个最新版的openssl？

我今天也收到这个邮件，求解决方案

找了一圈没找到现成的，
cocos2dx 3.9 curl是7.40
用的openssl 1.0.1l
把3.9的curl拷贝过来，重新编译openssl 1.01t-dev版本（1.01s在curl7.40版本有问题）

图方便的朋友可以去下载我编译好的
http://yun.baidu.com/s/1bD6UD4

用了这个，build通过了，但是项目太老，各种问题，懒得折腾了，找了半天google play下线的按钮也没找到，汗。

这个意思是 1.02f/1.01r这个版本被修复了吧

— Begin quote from ____

引用第5楼573396662于2016-04-02 17:13发表的 :
找了一圈没找到现成的，
cocos2dx 3.9 curl是7.40
用的openssl 1.0.1l
把3.9的curl拷贝过来，重新编译openssl 1.01t-dev版本（1.01s在curl7.40版本有问题）

… http://www.cocoachina.com/bbs/job.php?action=topost&tid=1677396&pid=1533182

— End quote

这个用在3.X项目还行 ，2.X项目应该不行啊

我用2.2.6版本的，目前没发现什么问题

— Begin quote from ____

引用第9楼573396662于2016-04-05 13:41发表的 回 8楼(无为而治) 的帖子 :
我用2.2.6版本的，目前没发现什么问题 http://www.cocoachina.com/bbs/job.php?action=topost&tid=1677396&pid=1534013

— End quote

2.2.6的curl里面只有1个.a啊 而3.9的是3个
试过我只替换那1个，不行啊，编译报错

怎样， 解决没有？

遇到同样的问题 我用的3.2 求解决方案

3.4 同求