New OpenSSL vulnerability (wodSSH / wodSSH.NET)

We have got new vulnerability for OpenSSL:

https://www.openssl.org/news/secadv/20160503.txt

Is wodSSH.NET, WeOnlyDo.Client.FTP affected by this vulnerability? I am using v2.6 and 1.7 versions respectively.
If affected, is there a hotfix or a patch available to overcome this vulnerability?

Hi.

wodSSH.NET and wodFtpDLX.NET don't use OpenSSL, so you're not affected.

Kind regards,
Jasmine.

How about WODCrypt? We use OpenSSL with this component. Will there be an update?

Thanks,
Mark

Hi Mark.

We're using OpenSSL 1.0.2g in all our products, so is wodCrypt. We're not affected by this vulnerability.

I hope this helps!
Jasmine.

I believe the below vulnerability affects 1.0.2g.

Thanks,
Mark

CVE-2016-2107 (OpenSSL advisory) [High severity] 3rd May 2016:

A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. Reported by Juraj Somorovsky.
Fixed in OpenSSL 1.0.1t (Affected 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.2h (Affected 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)

Hi Mark.

Fixed, we've switched to 1.0.2h

Jasmine.

What about WodSSH ActiveX component. We are using version 3.0.0. Is it affected by these vulnerabilities?

Hi Ihor.

We update OpenSSL for each component when it needs to recompile. I have forced wodSSH (and other components) to be recompiled now, so please request update.

Kind regards,
Jasmine.