OpenSSL heartbleed vulnerability and ZeroC binary Ice packages

rleigh

Hi,

Are the current binary builds available from the ZeroC website vulnerable to this exploit? If so, which versions are affected? Will you be doing rebuilds to remedy this? Is there any concrete timescale for doing the rebuilds?

Looking at the Ice 3.5.1 thirdparty sources, these include OpenSSL 1.0.1e. Will the thirdparty sources be updated soon, and will the dependent binary packages be rebuilt?

Am I correct that using the current ZeroC packages will result in being vulnerable to the exploit, at the very least for the current 3.5.1 Windows builds which appear to be linked against 1.0.1e?

Do you have a complete list of all the binary artifacts you have which provide/are linked against vulnerable versions of OpenSSL? Will they all be taken down from the site and/or be rebuilt?


Many thanks,
Roger Leigh

bernard

Hi Roger,

You should find answers to all these Heartbleed-related questions in this just published FAQ.

If anything is unclear, please let us know and we'll improve this page.

Best regards,
Bernard

rleigh

Thank you very much, that answers all my questions. And thank you for doing the rebuilds.


Regards,
Roger

rleigh

One question I do have is if the 3.5.1-1 .msi package is packed correctly. Its size is 682 MB (vs. 378 MB for the original 3.5.1 .msi). Is there a reason for the huge increase in size, or does it contain data it should not?

Thanks,
Roger

bernard

Hi Roger,

The size increased because we combined the original Ice-3.5.1.msi with the Ice-3.5.1-VS2013.msi released in November into one installer (Ice-3.5.1-1.msi). This Ice-3.5.1-1.msi includes binaries for Visual Studio 2010, 2012 and 2013.

A good chunk of this size increase is due to the Ice SDK for Windows 8.1 (WinRT) support, that gets installed only on Windows 8. This SDK was not affected by the OpenSSL Heartbleed bug.

Cheers,
Bernard