Ice 3.5 support and latest OpenSSL vulnerability

rleighrleigh Member Roger LeighOrganization: University of DundeeProject: OMERO (Open Microscopy Environment)
With the release of Ice 3.6, I just wanted to clarify what the status of Ice 3.5 was with regard to fixing recent OpenSSL vulnerabilities. Were you planning on making a new ThirdPartySources with the updated OpenSSL and rebuilding the binaries, or is this now abandoned in favour of Ice 3.6?


Kind regards,
Roger

Comments

  • bernardbernard Jupiter, FLAdministrators, ZeroC Staff Bernard NormierOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Hi Roger,

    Yes, we plan to provide updated OpenSSL 1.0.1 binaries for Windows from time to time, as part of refreshed Ice 3.5.1 binary distributions for Windows.

    The timing depends on the bugs fixed in the OpenSSL 1.0.1 releases. The latest binaries we distribute are for OpenSSL 1.0.1m, and the bugs fixed between 1.0.1m and the latest release (1.0.1p) are not critical for Ice applications. In particular, the latest CVE (CVE-2015-1793: 9th July 2015) fixed bugs in 1.0.1n and 1.0.1o, not 1.0.1m.

    Best regards,
    Bernard
  • rleighrleigh Member Roger LeighOrganization: University of DundeeProject: OMERO (Open Microscopy Environment)
    Hi Bernard,

    Many thanks for confirming this.
Sign In or Register to comment.