Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAFJ0LnEmzwJeKJgKbJsV9Fx_t8N4U-ep+tHWJQWcX=BqVFvw1A@mail.gmail.com>
Date: Wed, 9 Apr 2014 13:01:54 -0700
From: Nick Kralevich <nnk@...gle.com>
To: oss-security@...ts.openwall.com
Cc: Yves-Alexis Perez <corsac@...ian.org>
Subject: Re: Heartbleed, clients and Android

On Wed, Apr 9, 2014 at 3:21 AM, Hanno Böck <hanno@...eck.de> wrote:

> > > Because the latter
> > > would include Android. We are all pretty aware that android updates
> > > are in large parts nonexistent.
> >
> > I don't have much clue about Android, but I think I heard heartbeat
> > was disabled in Android, but I don't have a link right now. Also, I'm
> > unsure what actually use libssl in Android and what uses NSS.
>
> Seems Android disabled Heartbeat in 2012:
>
> https://android.googlesource.com/platform/external/openssl.git/+/android-4.1.2_r1
>
> Still leaves some android versions as potentially vulnerable.
>

All versions of Android are immune to CVE-2014-0160, with the limited
exception of Android 4.1.1. See also:
http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.