I just received an email from Google play stating:
Hello Google Play Developer,
Your app(s) listed at the end of this email utilize a version of OpenSSL that >contains one or more security vulnerabilities. If you have more than 20 >affected apps in your account, please check the Developer Console for a full >list.
Please migrate your app(s) to OpenSSL 1.02f/1.01r or higher as soon as possible and increment the version number of the upgraded APK. Beginning July 11, 2016, Google Play will block publishing of any new apps or updates that use older versions of OpenSSL. If you’re using a 3rd party library that bundles OpenSSL, you’ll need to upgrade it to a version that bundles OpenSSL 1.02f/1.01r or higher.
The vulnerabilities were addressed in OpenSSL 1.02f/1.01r. The latest versions of OpenSSL can be downloaded here. To confirm your OpenSSL version, you can do a grep search for ($ unzip -p YourApp.apk | strings | grep "OpenSSL").
To confirm you’ve upgraded correctly, submit the updated version to the Developer Console and check back after five hours. If the app hasn’t been correctly upgraded, we will display a warning.
The vulnerabilities include "logjam" and CVE-2015-3194. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. Details about other vulnerabilities are available here. For other technical questions, you can post to Stack Overflow and use the tags “android-security” and “OpenSSL.”
While these specific issues may not affect every app that uses OpenSSL, it’s best to stay up to date on all security patches. Apps with vulnerabilities that expose users to risk of compromise may be considered in violation of our Malicious Behavior policy and section 4.4 of the Developer Distribution Agreement.
Apps must also comply with the Developer Distribution Agreement and Developer Program Policies. If you feel we have sent this warning in error, contact our policy support team through the Google Play Developer Help Center.
Regards,
The Google Play Team
Guide me out of this if smatface app studio needs to be updated or not. Do let me know when will the update come.
Related
Question is above. I read that you have to pay for this service and now I want to cancel it. Is that possible? Or am I wrong and it is actually for free? I also tried deleting it but I keep getting the message that I can't install multiple versions.
If you are not a MongoDB customer, your use of MongoDB Enterprise Server is governed by the customer agreement that is presented during the download process (e.g. here). This agreement says:
(b) Free Evaluation and Development. MongoDB grants you a royalty-free, nontransferable and nonexclusive license to use and reproduce the Software in your internal environment for evaluation and development purposes. You will not use the Software for any other purpose, including testing, quality assurance or production purposes without purchasing an Enterprise Advanced Subscription. We provide the free evaluation and development license of our Software on an “AS-IS” basis without any warranty.
You may use the product indefinitely as long as you are using it for "evaluation and development purposes".
You can also uninstall the enterprise server at any time and install the community one.
We are running a trial version of the DevOps server on-premise. I'm trying to activate it so we aren't on the trial version any more.
Our company developers each have a VisualStudio Enterprise subscription, my understanding of this page:
https://azure.microsoft.com/en-us/pricing/details/devops/server/
is that if we have the Enterprise subscriptions (which we get via partner status) then we get one server license as well as a user license.
"Visual Studio subscriptions include one server license plus a user CAL for the subscriber."
If this is not the case, can someone explain? If this is the case, how do I go about activating DevOps server to not be in free-trial status?
I'm still searching for an answer as to how I actually make use of our
licenses to remove the 'trial' status or 'activate' DevOps server if
you will.
You can check this blog. Apart from earlier versions of tfs, it also applies to Azure Devops Server 2018 and 2019.
Open Team Foundation Server Administration Console and double-click the server name, you would see a window like this:
Click Complete Trial and you can remove the trial status in TFS Web UI. I think that's what you want.
And about license:
Starting with Update 2, you will not need to enter a product key into any version of TFS. If you download TFS from www.visualstudio.com, however, there will continue to be a trial experience. This experience is only there to help you comply with our server and user licensing requirements. You can opt out of it up front, at any point during the trial, or even after it expires. Critically, your server will continue working even if you let your trial expire. When you complete the trial, or when it expires, you need to ensure that you have a valid license in order to remain compliant.
So you can continue to use that in normal work since as you mentioned above the developers in your team each have one VS Enterprise subscription. (More details about licensing see licensing whitepaper)
We are using Applet previously to get Key Store Certificates installed in client's machine. Now as chrome stops NPAPI, Applet is not working now, so finding some solution using Javascript / jQuery.
I am trying to get the total Certificate List for installs in KeyStore, but I can't find any solutions. Does any one know how to get the full Certificate List using JavaScript or jQuery?
You cannot do that with JavaScript running in the client.
See the following entry of the WebCrypto mailing list:
On Wed, Jun 24, 2015 at 1:50 PM, Jeffrey Walton
wrote:
I see the WebCrypto API will allow discovery of keys
(http://www.w3.org/TR/WebCryptoAPI/):
In addition to operations such as signature generation
and verification, hashing and verification, and encryption
and decryption, the API provides interfaces for key
generation, key derivation, key import and export, and
key discovery.
Certificates have public keys, and they are not as sensitive as private
keys.
Will the WebCrypto API allow discovery/enumeration of certificates?
Examples of what I would like to discover or enumerate (in addition to
the private keys):
Trusted roots
Client certs
Trusted Roots are in the platform's trust store. Client certs may be
in the trust store.
Thanks in advance,
Jeff
There are no plans from Chrome to implement such, on the hopefully obvious and significant privacy grounds.
Client certs contain PII. Trusted certs contain PII and
fingerprinting.
In modern, sandboxed operating systems, such as iOS and Android,
applications cannot enumerate either, as those platform providers
reached the same conclusion.
So no. Never.1
1 For some really long value of never
Get clone of below link https://github.com/scketches/ffPrintCert
install the jpm
npm install jpm --global
Create build for mozilla
jpm xpi
Upload extension in mozilla locally and check
Fire below url in mozilla
about:debugging
Load .xpi file from locally and check.
We have window application developed in .Net and want perfect deployment technology
which enables easy application installation and upgrading.
The client can be accessed from anywhere in the world where an Internet connection is available.
In future we want the same deployment technology for provide support user's who use Window 7 and
Window 8
Looking at the the initial requirement we have decided to use Click Once technology
but found many issues in the deployment. They are below
You will need to sign a Click Once application with trusted certificate
otherwise it is blocked and instantly removed by Antivirus program.
ClickOnce may not be supported by all browsers , the behavior are different in IE and
other browser
ClickOnce to doesn't install components into the GAC , doesn't installed in the program
files rather it install and maintain user wise in the client machine.
ClickOnce has issue with proxy network and unable to customize the setup screen.
Community has faced many issues with ClickOnce Setup and does not have enough solution or
updates on Click Once technology solution
Do we have perfect deployment solution for window app over internet other than ClickOnce? Which methodology is widely used for window app deployment over internet?
Which deployment technology provide better success rate for easily maintenance and version update for the Window app over internet ?
You could build it as a standard executable and create an installer. A good way to make an installer is InnoSetup. However, the user has to have .Net Framework already installed.
As of Windows Vista, version 2.0 is included, Windows 7 includes 3.5, and Windows 8 includes 4.5. If you change the target .Net Framework of your application you can target these systems. Go to Properties > Target Framework > Choose 2.0, 3.5, or 4.5 (client profile if available).
As for updates, you should implement this in your application on your own or get another third-party updater. I don't know any good ones though.
I work in a service organization where users of our internal tools are often disconnected. It is often the case that service engineers on service assignments are "stranded" with an outdated version of some internal tool.
These tools are deployed using ClickOnce publish VS2010 .NET4 . If the users run all their apps while still connected to corporate network, they would get a notification that a new version was available. As the number of various tools increase, the chance increases that some app is not updated.
Is it possible to automate this process, by a batch file or something?
So that the engineers just need to run one file when connected to corporate nw to get all the newest versions of their installed tools?
Added:
An easier way of saying it would be to have "something like Windows update" operating on corporate net, but for internal ClickOnce apps.
Very interesting question. I can't think of a quick way to do this, but it's definitely possible.
I would create another ClickOnce app whose job is to update the other ClickOnce apps. This app needs the url of each app's .application file. If all engineers are supposed to have all apps, that's easy. If not, maybe you could look through their start menu and find all the ClickOnce Application Reference files. Those files contain the url.
Next, just launch the url and pass a query string argument...
http://server/MyApp/MyApp.application?UpdateOnly=true
In the startup of your applications, you can check the query string argument and shut down the app if it's run with UpdateOnly=true.
One side note. If you set the minimum required version of each of your apps to the latest version, users won't get prompted with the new version dialog. Seems like you'd want to do that or the user would still have to pay attention and do a lot of clicking.