Forum


Notice to all users

We are migrating towards a new forum system located at community.teamspeak.com, as such this forum will become read-only on January 29, 2020

Results 1 to 6 of 6
  1. #1
    Join Date
    October 2015
    Posts
    3

    Encryption: The OpenSSL version included is quite outdated

    I was concerned about the included OpenSSL version since the changelog only ever made 1 mention of it in the client changelog history, in April 2014, so I did a bit of digging. There have been a few TeamSpeak 3 releases for both the client and server between now and April 2014.

    In April 2014 OpenSSL 1.0.1g was released, and the TeamSpeak 3 client changelog for version 3.0.15 dated 23 Jun 2014 mentions:
    * Updated openssl to 1.0.1h
    In fact, upon inspecting the included OpenSSL library files, it turns out that they are actually an older version, 1.0.1g, and not 1.0.1h.

    By the way, the current version as of this writing is OpenSSL 1.0.2d, released on 06 Jul 2015.

    Looking at all the serious bugs that OpenSSL has had between April 2014 and now, I'm surprised that so little to no attention has been given to this critical piece of software for those of us using the encryption features that the TeamSpeak 3 server and client provides, leaving us exposed to different encryption related security vulnerabilities. In the few TeamSpeak 3 client and server releases between then and now there were several opportunities to update the included OpenSSL library files, all missed.

    What I'm basically aiming for here is that you please take greater care on staying up to date with the OpenSSL releases and library files that are included with the releases you provide.

  2. #2
    Join Date
    December 2009
    Location
    Germany
    Posts
    289
    Only as a hint for users. As far as i can see, only the client-binary has relations to openssl-libs.

    Server-Libraray-Relations:
    Code:
    ldd ts3server_linux_amd64 
            linux-vdso.so.1 =>  (0x00007ffe75ca4000)
            libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f427e8e4000)
            librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f427e6dc000)
            libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f427e4bf000)
            libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f427e23d000)
            libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f427deb2000)
            /lib64/ld-linux-x86-64.so.2 (0x00007f427eafa000)
    Client-Library-Relations:
    Code:
    ldd ts3client_linux_amd64 
            linux-vdso.so.1 (0x00007ffd6cef8000)
            libquazip.so => not found
            libdl.so.2 => /usr/lib/libdl.so.2 (0x00007fb325df2000)
            librt.so.1 => /usr/lib/librt.so.1 (0x00007fb325bea000)
            libz.so.1 => /usr/lib/libz.so.1 (0x00007fb3259d4000)
            libQt5Core.so.5 => /usr/lib/libQt5Core.so.5 (0x00007fb3252e7000)
            libQt5Gui.so.5 => /usr/lib/libQt5Gui.so.5 (0x00007fb324b7b000)
            libQt5Network.so.5 => /usr/lib/libQt5Network.so.5 (0x00007fb324823000)
            libQt5Widgets.so.5 => /usr/lib/libQt5Widgets.so.5 (0x00007fb323f6f000)
            libQt5Sql.so.5 => /usr/lib/libQt5Sql.so.5 (0x00007fb323d2c000)
            libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007fb323b15000)
            libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007fb323793000)
            libm.so.6 => /usr/lib/libm.so.6 (0x00007fb323495000)
            libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007fb32327f000)
            libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007fb323062000)
            libc.so.6 => /usr/lib/libc.so.6 (0x00007fb322cbe000)
            /lib64/ld-linux-x86-64.so.2 (0x00007fb325ff6000)
            libicui18n.so.55 => /usr/lib/libicui18n.so.55 (0x00007fb322858000)
            libicuuc.so.55 => /usr/lib/libicuuc.so.55 (0x00007fb3224c5000)
            libpcre16.so.0 => /usr/lib/libpcre16.so.0 (0x00007fb32225f000)
            libglib-2.0.so.0 => /usr/lib/libglib-2.0.so.0 (0x00007fb321f51000)
            libsystemd.so.0 => /usr/lib/libsystemd.so.0 (0x00007fb326136000)
            libpng16.so.16 => /usr/lib/libpng16.so.16 (0x00007fb321d1c000)
            libharfbuzz.so.0 => /usr/lib/libharfbuzz.so.0 (0x00007fb321aba000)
            libGL.so.1 => /usr/lib/libGL.so.1 (0x00007fb321822000)
            libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007fb3215a8000)
            libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007fb321131000)
            libgobject-2.0.so.0 => /usr/lib/libgobject-2.0.so.0 (0x00007fb320ee0000)
            libX11.so.6 => /usr/lib/libX11.so.6 (0x00007fb320b9e000)
            libicudata.so.55 => /usr/lib/libicudata.so.55 (0x00007fb31f0e8000)
            libpcre.so.1 => /usr/lib/libpcre.so.1 (0x00007fb31ee78000)
            liblzma.so.5 => /usr/lib/liblzma.so.5 (0x00007fb31ec52000)
            liblz4.so.1 => /usr/lib/liblz4.so.1 (0x00007fb31ea40000)
            libgcrypt.so.20 => /usr/lib/libgcrypt.so.20 (0x00007fb31e75e000)
            libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x00007fb31e54b000)
            libcap.so.2 => /usr/lib/libcap.so.2 (0x00007fb31e347000)
            libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x00007fb31e08a000)
            libgraphite2.so.3 => /usr/lib/libgraphite2.so.3 (0x00007fb31de5f000)
            libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007fb31dc35000)
            libglapi.so.0 => /usr/lib/libglapi.so.0 (0x00007fb31da07000)
            libXext.so.6 => /usr/lib/libXext.so.6 (0x00007fb31d7f5000)
            libXdamage.so.1 => /usr/lib/libXdamage.so.1 (0x00007fb31d5f2000)
            libXfixes.so.3 => /usr/lib/libXfixes.so.3 (0x00007fb31d3ec000)
            libX11-xcb.so.1 => /usr/lib/libX11-xcb.so.1 (0x00007fb31d1ea000)
            libxcb-glx.so.0 => /usr/lib/libxcb-glx.so.0 (0x00007fb31cfd0000)
            libxcb-dri2.so.0 => /usr/lib/libxcb-dri2.so.0 (0x00007fb31cdcb000)
            libxcb-dri3.so.0 => /usr/lib/libxcb-dri3.so.0 (0x00007fb31cbc8000)
            libxcb-present.so.0 => /usr/lib/libxcb-present.so.0 (0x00007fb31c9c5000)
            libxcb-randr.so.0 => /usr/lib/libxcb-randr.so.0 (0x00007fb31c7b7000)
            libxcb-xfixes.so.0 => /usr/lib/libxcb-xfixes.so.0 (0x00007fb31c5af000)
            libxcb-render.so.0 => /usr/lib/libxcb-render.so.0 (0x00007fb31c3a5000)
            libxcb-shape.so.0 => /usr/lib/libxcb-shape.so.0 (0x00007fb31c1a1000)
            libxcb-sync.so.1 => /usr/lib/libxcb-sync.so.1 (0x00007fb31bf9a000)
            libxcb.so.1 => /usr/lib/libxcb.so.1 (0x00007fb31bd77000)
            libxshmfence.so.1 => /usr/lib/libxshmfence.so.1 (0x00007fb31bb74000)
            libXxf86vm.so.1 => /usr/lib/libXxf86vm.so.1 (0x00007fb31b96e000)
            libdrm.so.2 => /usr/lib/libdrm.so.2 (0x00007fb31b75f000)
            libffi.so.6 => /usr/lib/libffi.so.6 (0x00007fb31b556000)
            libattr.so.1 => /usr/lib/libattr.so.1 (0x00007fb31b351000)
            libbz2.so.1.0 => /usr/lib/libbz2.so.1.0 (0x00007fb31b141000)
            libXau.so.6 => /usr/lib/libXau.so.6 (0x00007fb31af3d000)
            libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x00007fb31ad37000)
    And also a hint for linux-user. It may be possible, to use the system-libraries with teamspeak. Please use this hint on your own risk.
    An example for this may be the package within archlinux.
    https://www.archlinux.org/packages/c...64/teamspeak3/

  3. #3
    Join Date
    October 2015
    Posts
    3
    What I wrote here was more about the Windows version though.

    It seems from your ldd output that the Linux version of the client uses the system-wide version of OpenSSL, which is good. Not sure why the server doesn't show similar dependencies. Perhaps its statically compiled into the server binary, which would mean its probably an old version. The Windows version of the server also does not have any included OpenSSL library files, so likely its the same thing here as well.

    However, in Linux distributions OpenSSL libraries are almost always part of the installation so this method can be easier to do. But this is not the case on Windows, so this means the TeamSpeak developers are responsible for including up to date OpenSSL library files.

  4. #4
    Join Date
    October 2015
    Posts
    3

    Question

    Can one of the TeamSpeak developers/officials please comment on this?

  5. #5
    Join Date
    June 2008
    Posts
    18,513
    I personally think that the Heartbleed bug isn't evil for us.
    The devs are already informed about it, but there is no statement yet for this.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  6. #6
    Join Date
    June 2008
    Posts
    18,513
    OpenSSL will be updated with client 3.0.19. We will use the latest stable OpenSSL 1.0.2e.
    Last edited by dante696; December 16th, 2015 at 12:03 PM. Reason: version added
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Server version outdated
    By pd5ren in forum Windows
    Replies: 3
    Last Post: August 20th, 2011, 05:45 PM
  2. This server version is outdated
    By casperinmd in forum Linux / FreeBSD
    Replies: 4
    Last Post: July 8th, 2011, 03:00 PM
  3. server version is outdated
    By Mater1 in forum Client Support
    Replies: 1
    Last Post: January 19th, 2010, 09:24 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •