Date: Wed, 9 Apr 2014 13:01:54 -0700 From: Nick Kralevich <nnk@...gle.com> To: oss-security@...ts.openwall.com Cc: Yves-Alexis Perez <corsac@...ian.org> Subject: Re: Heartbleed, clients and Android On Wed, Apr 9, 2014 at 3:21 AM, Hanno Böck <hanno@...eck.de> wrote: > > > Because the latter > > > would include Android. We are all pretty aware that android updates > > > are in large parts nonexistent. > > > > I don't have much clue about Android, but I think I heard heartbeat > > was disabled in Android, but I don't have a link right now. Also, I'm > > unsure what actually use libssl in Android and what uses NSS. > > Seems Android disabled Heartbeat in 2012: > > https://android.googlesource.com/platform/external/openssl.git/+/android-4.1.2_r1 > > Still leaves some android versions as potentially vulnerable. > All versions of Android are immune to CVE-2014-0160, with the limited exception of Android 4.1.1. See also: http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.