We apologise to all our customers affected by the February 29 issue in SecureBlackbox TElHTTPSClient component. We have localised the problem and are now directing all our efforts to have the fix ready as quickly as possible.

For now we can confirm that the problem affects VCL, NG, C++ and PHP editions. .NET and Java editions are clear of the issue.

We are sorry for the inconveniences the issue might have caused.

UPDATE 1 (09:51)

Those our customers who compile SecureBlackbox from source code can apply the following patch to SBUtils.pas unit to get rid of the issue:

1. Open your SBUtils.pas unit.

2. Find the implementation of DateTimeAddYears() function.

3. Replace the implementation (the whole function including the headers, begin and end) with the following piece of code:

----- PATCH BLOCK START -----
function DateTimeIsLeapYear(Year: Integer): Boolean;
begin
  Result := (Year mod 4 = 0) and ((Year mod 100  0) or (Year mod 400 = 0));
end;

function DateTimeAddYears(DateTime: TElDateTime; Years: Integer): TElDateTime;
var
  Year, Month, Day: Word;
begin
  DecodeDate(DateTime, Year, Month, Day);
  Inc(Year, Years);
  if (Month = 2) and (Day = 29) and not DateTimeIsLeapYear(Year) then
    Day := 28;
  Result := EncodeDate(Year, Month, Day) + Frac(DateTime);
end;
----- PATCH BLOCK END -----

Please apply the patch and recompile your project to get use of the fix.

UPDATE 2 (10:25)

Some details of the issue:

The issue is caused by mishandling of leap years in internal SecureBlackbox date handling routine. Unfortunately, the architectural specifics of the library results in the error affecting a higher level TElHTTPSClient component, making it crash in its constructor. So, essentially, the problem leads to broken HTTPS connectivity and it seems to be the only (quite major though) consequence by far. February 29 is the only date affected, with TElHTTPSClient's behaviour getting back to normal on the 1st of March (in no way this is an excuse).

The issue doesn't appear to be exploitable and doesn't involve any straightforward data loss or disclosure. It's only the connectivity side that is affected.

We would like to thank our customers for your patience. Official hot fix updates are being prepared at the moment, and we hope to make them available soon. We are really sorry about the problems this issue might have caused you.

↧

A word about SecureBlackbox "leap year" issue

February 29, 2016, 9:00 pm

≫ Next: New build of CallbackFilter available

≪ Previous: SecureBlackbox: for those affected by February 29 issue

The details, comments and plans about yesterday's issue with the leap year in SecureBlackbox.

↧

New build of CallbackFilter available

March 6, 2016, 2:00 pm

≫ Next: Callback File System 6.1 beta is available

≪ Previous: A word about SecureBlackbox "leap year" issue

New build of CallbackFilter 4.1 is available for download.

↧

Callback File System 6.1 beta is available

March 11, 2016, 2:00 pm

≫ Next: SecureBlackbox 14: maintenance update available

≪ Previous: New build of CallbackFilter available

The public beta version of Callback File System 6.1 is available for testing.

↧

SecureBlackbox 14: maintenance update available

March 19, 2016, 3:00 pm

≫ Next: BizCrypto 14 has been updated

≪ Previous: Callback File System 6.1 beta is available

New maintenance update to SecureBlackbox 14 contains improvements and updates in PDF package.

↧

BizCrypto 14 has been updated

March 19, 2016, 3:00 pm

≫ Next: Callback File System 6.1 pre-release is available

≪ Previous: SecureBlackbox 14: maintenance update available

BizCrypto has been updated to version 14.0.290, which updates the backend security library.

↧

Callback File System 6.1 pre-release is available

March 26, 2016, 2:00 pm

≫ Next: Regarding security alerts for EldoS products

≪ Previous: BizCrypto 14 has been updated

The pre-release version of Callback File System 6.1 is available for download and use.

↧

Regarding security alerts for EldoS products

April 4, 2016, 2:00 pm

≫ Next: New build of CallbackFilter available

≪ Previous: Callback File System 6.1 pre-release is available

If you want to be notified about security-related news, related to our products, and not about other news, we have created a dedicated information channel.

↧