I was concerned about the included OpenSSL version since the changelog only ever made 1 mention of it in the client changelog history, in April 2014, so I did a bit of digging. There have been a few TeamSpeak 3 releases for both the client and server between now and April 2014.
In April 2014 OpenSSL 1.0.1g was released, and the TeamSpeak 3 client changelog for version 3.0.15 dated 23 Jun 2014 mentions:
* Updated openssl to 1.0.1h
In fact, upon inspecting the included OpenSSL library files, it turns out that they are actually an older version, 1.0.1g, and not 1.0.1h.
By the way, the current version as of this writing is OpenSSL 1.0.2d, released on 06 Jul 2015.
Looking at all the serious bugs that OpenSSL has had between April 2014 and now, I'm surprised that so little to no attention has been given to this critical piece of software for those of us using the encryption features that the TeamSpeak 3 server and client provides, leaving us exposed to different encryption related security vulnerabilities. In the few TeamSpeak 3 client and server releases between then and now there were several opportunities to update the included OpenSSL library files, all missed.
What I'm basically aiming for here is that you please take greater care on staying up to date with the OpenSSL releases and library files that are included with the releases you provide.
Encryption: The OpenSSL version included is quite outdated
In April 2014 OpenSSL 1.0.1g was released, and the TeamSpeak 3 client changelog for version 3.0.15 dated 23 Jun 2014 mentions:
Quote:
* Updated openssl to 1.0.1h
By the way, the current version as of this writing is OpenSSL 1.0.2d, released on 06 Jul 2015.
Looking at all the serious bugs that OpenSSL has had between April 2014 and now, I'm surprised that so little to no attention has been given to this critical piece of software for those of us using the encryption features that the TeamSpeak 3 server and client provides, leaving us exposed to different encryption related security vulnerabilities. In the few TeamSpeak 3 client and server releases between then and now there were several opportunities to update the included OpenSSL library files, all missed.
What I'm basically aiming for here is that you please take greater care on staying up to date with the OpenSSL releases and library files that are included with the releases you provide.
0 commentaires:
Enregistrer un commentaire