[Live-demo] [OSGeo] #1329: Heartbleed vulnerability in OpenSSL

OSGeo trac_osgeo at osgeo.org
Sun Apr 13 03:09:23 PDT 2014


#1329: Heartbleed vulnerability in OpenSSL
----------------------+-----------------------------------------------------
 Reporter:  camerons  |       Owner:  live-demo@…              
     Type:  defect    |      Status:  new                      
 Priority:  critical  |   Milestone:  OSGeoLive7.9             
Component:  LiveDVD   |    Keywords:                           
----------------------+-----------------------------------------------------
 As per email thread below, OSGeo-Live is effected by the heartbleed
 vulnerability in OpenSSL. http://heartbleed.com/

 On Sat, Apr 12, 2014 at 8:40 AM, Alex Mandel wrote:

     You are correct, from a server side someone would have to make
 services
     available on https.

     From a client side, it is possibly vulnerable in the same way non
     service packages are in OSGeo4w.

     The example in IRC today, which I have not verified. QGIS connects to
 a
     WMS via https, that https service probes the local QGIS instance for
     memory dumps.


     I say we just post the how to fix it if you're concerned instructions
     and leave it at that. Obviously it will be fixed in the next version
     without additional work on our part. We could also reiterate that we
 do
     not intend of OSGeo Live to be used in Production Servers as is.


     Thanks,
     Alex

     On 04/11/2014 03:36 PM, Brian Hamlin wrote:
     >
     > My understanding is that the OSGeo Live is *not* vulnerable as it
 is,
     > because we do not provide services (like https) out of the box that
 use
     > the TLS mechanism on top of openssl. If someone was to add those
     > services, it would no longer be the distribution that we made
 available.
     >
     > With that said, it is certainly a good idea to update openssl and
     > related packages, update the .iso image, and put that on the servers
     >
     > --
     > Brian M Hamlin
     > OSGeo California Chapter
     > blog.light42.com
     >
     >
     >
     >
     >
     > On Apr 11, 2014, at 2:09 PM, Cameron Shorter wrote:
     >
     >> Hamish, Brian, Angelos, Alex,
     >>
     >> I assume that OSGeo-Live (and other OSGeo servers) would contain
 the
     >> heartbleed vulnerability?
     >> I suggest that we should put out a similar statement to the one
 below.
     >> What would be our recommended course of action to uses?
     >>

-- 
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/1329>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.


More information about the Osgeolive mailing list