Heartbleed vulnerability in OpenSSL
|Reported by:||camerons||Owned by:|
As per email thread below, OSGeo-Live is effected by the heartbleed vulnerability in OpenSSL. http://heartbleed.com/
On Sat, Apr 12, 2014 at 8:40 AM, Alex Mandel wrote:
You are correct, from a server side someone would have to make services available on https.
From a client side, it is possibly vulnerable in the same way non service packages are in OSGeo4w.
The example in IRC today, which I have not verified. QGIS connects to a WMS via https, that https service probes the local QGIS instance for memory dumps.
I say we just post the how to fix it if you're concerned instructions and leave it at that. Obviously it will be fixed in the next version without additional work on our part. We could also reiterate that we do not intend of OSGeo Live to be used in Production Servers as is.
On 04/11/2014 03:36 PM, Brian Hamlin wrote:
My understanding is that the OSGeo Live is *not* vulnerable as it is, because we do not provide services (like https) out of the box that use the TLS mechanism on top of openssl. If someone was to add those services, it would no longer be the distribution that we made available.
With that said, it is certainly a good idea to update openssl and related packages, update the .iso image, and put that on the servers
-- Brian M Hamlin OSGeo California Chapter blog.light42.com
On Apr 11, 2014, at 2:09 PM, Cameron Shorter wrote:
Hamish, Brian, Angelos, Alex,
I assume that OSGeo-Live (and other OSGeo servers) would contain the heartbleed vulnerability? I suggest that we should put out a similar statement to the one below. What would be our recommended course of action to uses?