We apologise to all our customers affected by the February 29 issue in SecureBlackbox TElHTTPSClient component. We have localised the problem and are now directing all our efforts to have the fix ready as quickly as possible.
For now we can confirm that the problem affects VCL, NG, C++ and PHP editions. .NET and Java editions are clear of the issue.
We are sorry for the inconveniences the issue might have caused.
UPDATE 1 (09:51)
Those our customers who compile SecureBlackbox from source code can apply the following patch to SBUtils.pas unit to get rid of the issue:
1. Open your SBUtils.pas unit.
2. Find the implementation of DateTimeAddYears() function.
3. Replace the implementation (the whole function including the headers, begin and end) with the following piece of code:
----- PATCH BLOCK START ----- function DateTimeIsLeapYear(Year: Integer): Boolean; begin Result := (Year mod 4 = 0) and ((Year mod 100 0) or (Year mod 400 = 0)); end; function DateTimeAddYears(DateTime: TElDateTime; Years: Integer): TElDateTime; var Year, Month, Day: Word; begin DecodeDate(DateTime, Year, Month, Day); Inc(Year, Years); if (Month = 2) and (Day = 29) and not DateTimeIsLeapYear(Year) then Day := 28; Result := EncodeDate(Year, Month, Day) + Frac(DateTime); end; ----- PATCH BLOCK END -----
Please apply the patch and recompile your project to get use of the fix.
UPDATE 2 (10:25)
Some details of the issue:
The issue is caused by mishandling of leap years in internal SecureBlackbox date handling routine. Unfortunately, the architectural specifics of the library results in the error affecting a higher level TElHTTPSClient component, making it crash in its constructor. So, essentially, the problem leads to broken HTTPS connectivity and it seems to be the only (quite major though) consequence by far. February 29 is the only date affected, with TElHTTPSClient's behaviour getting back to normal on the 1st of March (in no way this is an excuse).
The issue doesn't appear to be exploitable and doesn't involve any straightforward data loss or disclosure. It's only the connectivity side that is affected.
We would like to thank our customers for your patience. Official hot fix updates are being prepared at the moment, and we hope to make them available soon. We are really sorry about the problems this issue might have caused you.