diff --git a/fdroidserver/update.py b/fdroidserver/update.py index 286a5510..f554987b 100644 --- a/fdroidserver/update.py +++ b/fdroidserver/update.py @@ -513,8 +513,9 @@ def has_known_vulnerability(filename): m = has_known_vulnerability.pattern.search(chunk) if m: version = m.group(1).decode('ascii') - if version.startswith('1.0.1') and version[5] >= 'r' \ - or version.startswith('1.0.2') and version[5] >= 'f': + if (version.startswith('1.0.1') and len(version) > 5 and version[5] >= 'r') \ + or (version.startswith('1.0.2') and len(version) > 5 and version[5] >= 'f') \ + or re.match(r'[1-9]\.[1-9]\.[0-9].*', version): logging.debug('"%s" contains recent %s (%s)', filename, name, version) else: logging.warning('"%s" contains outdated %s (%s)', filename, name, version) diff --git a/tests/openssl-version-check-test.py b/tests/openssl-version-check-test.py new file mode 100755 index 00000000..69d4d1ce --- /dev/null +++ b/tests/openssl-version-check-test.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 +# +# implementing a version check of known bad OpenSSL versions, for example: +# https://support.google.com/faqs/answer/6376725?hl=en +# +# This is used in update.has_known_vulnerability() + +import re +import requests + +# this list was generated using: +# for f in `curl | grep -Eo '[0-9]\.[0-9]\.[0-9][a-z]?' | sort -u`; do echo "'$f',"; done +versions = [ +] + +r = requests.get('https://www.openssl.org/news/changelog.html') + +safe = set() +bad = set() + +for m in re.findall(b'[0-9]\.[0-9]\.[0-9][a-z]?', r.content): + version = str(m, encoding='utf-8') + if (version.startswith('1.0.1') and len(version) > 5 and version[5] >= 'r') \ + or (version.startswith('1.0.2') and len(version) > 5 and version[5] >= 'f') \ + or re.match(r'[1-9]\.[1-9]\.[0-9].*', version): + safe.add(version) + else: + bad.add(version) + +print('safe:', sorted(safe)) +print('bad:', sorted(bad))