[Live-demo] [OSGeo] #1329: Heartbleed vulnerability in OpenSSL

OSGeo trac_osgeo at osgeo.org
Sun Apr 13 03:09:23 PDT 2014

#1329: Heartbleed vulnerability in OpenSSL
 Reporter:  camerons  |       Owner:  live-demo@…              
     Type:  defect    |      Status:  new                      
 Priority:  critical  |   Milestone:  OSGeoLive7.9             
Component:  LiveDVD   |    Keywords:                           
 As per email thread below, OSGeo-Live is effected by the heartbleed
 vulnerability in OpenSSL. http://heartbleed.com/

 On Sat, Apr 12, 2014 at 8:40 AM, Alex Mandel wrote:

     You are correct, from a server side someone would have to make
     available on https.

     From a client side, it is possibly vulnerable in the same way non
     service packages are in OSGeo4w.

     The example in IRC today, which I have not verified. QGIS connects to
     WMS via https, that https service probes the local QGIS instance for
     memory dumps.

     I say we just post the how to fix it if you're concerned instructions
     and leave it at that. Obviously it will be fixed in the next version
     without additional work on our part. We could also reiterate that we
     not intend of OSGeo Live to be used in Production Servers as is.


     On 04/11/2014 03:36 PM, Brian Hamlin wrote:
     > My understanding is that the OSGeo Live is *not* vulnerable as it
     > because we do not provide services (like https) out of the box that
     > the TLS mechanism on top of openssl. If someone was to add those
     > services, it would no longer be the distribution that we made
     > With that said, it is certainly a good idea to update openssl and
     > related packages, update the .iso image, and put that on the servers
     > --
     > Brian M Hamlin
     > OSGeo California Chapter
     > blog.light42.com
     > On Apr 11, 2014, at 2:09 PM, Cameron Shorter wrote:
     >> Hamish, Brian, Angelos, Alex,
     >> I assume that OSGeo-Live (and other OSGeo servers) would contain
     >> heartbleed vulnerability?
     >> I suggest that we should put out a similar statement to the one
     >> What would be our recommended course of action to uses?

Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1329>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

More information about the Osgeolive mailing list