Archived

This forum has been archived. Please start a new discussion on GitHub.

Ice 3.5 support and latest OpenSSL vulnerability

With the release of Ice 3.6, I just wanted to clarify what the status of Ice 3.5 was with regard to fixing recent OpenSSL vulnerabilities. Were you planning on making a new ThirdPartySources with the updated OpenSSL and rebuilding the binaries, or is this now abandoned in favour of Ice 3.6?


Kind regards,
Roger

Comments

  • bernard
    bernard Jupiter, FL
    Hi Roger,

    Yes, we plan to provide updated OpenSSL 1.0.1 binaries for Windows from time to time, as part of refreshed Ice 3.5.1 binary distributions for Windows.

    The timing depends on the bugs fixed in the OpenSSL 1.0.1 releases. The latest binaries we distribute are for OpenSSL 1.0.1m, and the bugs fixed between 1.0.1m and the latest release (1.0.1p) are not critical for Ice applications. In particular, the latest CVE (CVE-2015-1793: 9th July 2015) fixed bugs in 1.0.1n and 1.0.1o, not 1.0.1m.

    Best regards,
    Bernard
  • Hi Bernard,

    Many thanks for confirming this.