Wind River Security Alert for Wind River Linux 3.x/4.x/5.0.1.x/6.0.0.x
Wind River Linux 3.x
================
This alert confirms that Wind River Linux 3.x users do NOT need to take any action associated with the serious CVE-2014-0160 OpenSSL vulnerability; aka "The Heartbleed Bug". All versions of Wind River Linux 3.0.0.0 through 3.0.3.21 and later are NOT vulnerable this exploit. The vulnerability affects OpenSSL 1.0.1 before 1.0.1g. Wind River Linux 3.x includes OpenSSL 0.9.8.
Wind River Linux 4.x
================
This alert confirms that Wind River Linux 4.x users do NOT need to take any action associated with the serious CVE-2014-0160 OpenSSL vulnerability; aka "The Heartbleed Bug". All versions of Wind River Linux 4.0.0.0 through 4.3.0.24 and later are NOT vulnerable this exploit. The vulnerability affects OpenSSL 1.0.1 before 1.0.1g. Wind River Linux 4.x includes OpenSSL 1.0.0.
Wind River Linux 5.0.1.x
===================
This alert confirms that Wind River Linux 5.0.1.x IS SUSCEPTIBLE to the serious CVE-2014-0160 OpenSSL vulnerability; aka "The Heartbleed Bug". The vulnerability affects OpenSSL 1.0.1 before 1.0.1g. While Wind River Linux 5.0.1.3 and later contain OpenSSL 1.0.1e as an optional package, the distribution default is OpenSSL 1.0.0. OpenSSL 1.0.1e is only used if explicitly enabled via the configure option '--with-template=feature/openssl101e'. Wind River recommends that Wind River Linux 5.x users do not override the distribution default OpenSSL 1.0.0 until a patch is available.
The hot patch is ready.
1) Updating 5.0.1.13
2) configure project with .. --with-rcpl-version=0013
3) cd project/layers/oe-core
4) git am 0001-openssl-backport-fix-for-CVE-2014-0160-5.0.1.patch
This vulnerability will be patched in Wind River Linux 5.0.1.14 scheduled for release 30APR2014.
Wind River Linux 6.0.0.x
===================
This alert confirms that Wind River Linux 6.x IS SUSCEPTIBLE to the serious CVE-2014-0160 OpenSSL vulnerability; aka "The Heartbleed Bug". The vulnerability affects OpenSSL 1.0.1 before 1.0.1g. Wind River Linux 6.0.0.0 through 6.0.0.5 shipped with OpenSSL 1.0.1e which is vulnerable. Wind River recommends Wind River Linux 6.x users recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS until a patch is available.
This vulnerability will be patched in Wind River Linux 6.0.0.6 scheduled for release 30APR2014.
The hot patch is ready.
1) Updating 6.0.0.5
2) configure project with .. --with-rcpl-version=0005
3) cd project/layers/oe-core
4) git am 0001-openssl-backport-fix-for-CVE-2014-0160-6.0.patch
For more information please contact Wind River Support at +1-800-872-4977 or your local Wind River representative.
