Custom query (1088 matches)

As per email thread below, OSGeo-Live is effected by the heartbleed vulnerability in OpenSSL. ​http://heartbleed.com/

On Sat, Apr 12, 2014 at 8:40 AM, Alex Mandel wrote:

You are correct, from a server side someone would have to make services available on https.

From a client side, it is possibly vulnerable in the same way non service packages are in OSGeo4w.

The example in IRC today, which I have not verified. QGIS connects to a WMS via https, that https service probes the local QGIS instance for memory dumps.

I say we just post the how to fix it if you're concerned instructions and leave it at that. Obviously it will be fixed in the next version without additional work on our part. We could also reiterate that we do not intend of OSGeo Live to be used in Production Servers as is.

Thanks, Alex

On 04/11/2014 03:36 PM, Brian Hamlin wrote:

My understanding is that the OSGeo Live is *not* vulnerable as it is, because we do not provide services (like https) out of the box that use the TLS mechanism on top of openssl. If someone was to add those services, it would no longer be the distribution that we made available.

With that said, it is certainly a good idea to update openssl and related packages, update the .iso image, and put that on the servers

-- Brian M Hamlin OSGeo California Chapter blog.light42.com

On Apr 11, 2014, at 2:09 PM, Cameron Shorter wrote:

Hamish, Brian, Angelos, Alex,

I assume that OSGeo-Live (and other OSGeo servers) would contain the heartbleed vulnerability? I suggest that we should put out a similar statement to the one below. What would be our recommended course of action to uses?

On 7/10/2014 12:24 am, Agustin Diez Castillo wrote:

The German [1] and English [2] versions pointing to the current version 8.0, but all other languages [3 … 8] point to version 7.0 (the korean to 7.9).

Same is true for localhost in the current DVD.

[1] ​http://live.osgeo.org/de/download.html

[2] ​http://live.osgeo.org/en/download.html

[3] ​http://live.osgeo.org/es/download.html

[4] ​http://live.osgeo.org/ca/download.html

[5] ​http://live.osgeo.org/fr/download.html

[6] ​http://live.osgeo.org/it/download.html

[7] ​http://live.osgeo.org/pl/download.html

[8] ​http://live.osgeo.org/ru/download.html

The project owner has requested that MapTiler be removed from OSGeo-Live, as the project is no longer being actively developed.

I propose we remove links to the install script from main.sh and move links in the docs to "available on previous releases of OSGeo-Live"