Feature #195

Win32: Please update OpenSSL

Added by X. W. over 3 years ago. Updated over 3 years ago.

Status:RejectedStart date:04/08/2014
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-Spent time:-
Target version:-

Description

Dear Sylpheed developer(s),

please update OpenSSL in Sylpheed Win32.

Sylpheed Win32 currently uses the old OpenSSL 0.9.8, even though the new OpenSSL 1.0.1 is the current version.

It would be much appreciated.

Regards

History

#1 Updated by Georg Schmalhofer over 3 years ago

Related info about an extremely dangerous bug in OpenSSL 1.0.1:

https://www.openssl.org/news/secadv_20140407.txt

-----------------------------------------------
OpenSSL Security Advisory [07 Apr 2014] ========================================

TLS heartbeat read overrun (CVE-2014-0160) ==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <> and Bodo Moeller <> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
-----------------------------------------------------------------------

More info can be found here:
http://heartbleed.com/

#2 Updated by Hiroyuki Yamamoto over 3 years ago

  • Status changed from New to Rejected

X. W. wrote:

Dear Sylpheed developer(s),

please update OpenSSL in Sylpheed Win32.

Sylpheed Win32 currently uses the old OpenSSL 0.9.8, even though the new OpenSSL 1.0.1 is the current version.

There is no advantage in upgrading the included OpenSSL from 0.9.8y to 1.0.*,
since Sylpheed just only uses the basic features of it.

0.9.8y is the latest version of 0.9.8 branch, and currently there is no known vulnerability.
(also not affected by CVE-2014-0160)

Also available in: Atom PDF