Wind River Support Network

HomeSafety and Security NoticesWind River Security Alert for Wind River Linux 3.x/4.x/5.0.1.x/6.0.0.x
Recommended

Wind River Security Alert for Wind River Linux 3.x/4.x/5.0.1.x/6.0.0.x

Released: Apr 8, 2014     Updated: Apr 14, 2014

Summary

Wind River Security Alert for Wind River Linux 3.x/4.x/5.0.1.x/6.0.0.x


Affected Product Versions

Linux 3, Wind River Linux 4, Wind River Linux 5, Wind River Linux 6

Downloads


Description

Wind River Linux 3.x
================
This alert confirms that Wind River Linux 3.x users do NOT need to take any action associated with the serious CVE-2014-0160 OpenSSL vulnerability; aka "The Heartbleed Bug".  All versions of Wind River Linux 3.0.0.0 through 3.0.3.21 and later are NOT vulnerable this exploit.  The vulnerability affects OpenSSL 1.0.1 before 1.0.1g. Wind River Linux 3.x includes OpenSSL 0.9.8.

Wind River Linux 4.x
================
This alert confirms that Wind River Linux 4.x users do NOT need to take any action associated with the serious CVE-2014-0160 OpenSSL vulnerability; aka "The Heartbleed Bug".  All versions of Wind River Linux 4.0.0.0 through 4.3.0.24 and later are NOT vulnerable this exploit.  The vulnerability affects OpenSSL 1.0.1 before 1.0.1g. Wind River Linux 4.x includes OpenSSL 1.0.0.

Wind River Linux 5.0.1.x
===================
This alert confirms that Wind River Linux 5.0.1.x IS SUSCEPTIBLE to the serious CVE-2014-0160 OpenSSL vulnerability; aka "The Heartbleed Bug".  The vulnerability affects OpenSSL 1.0.1 before 1.0.1g.  While Wind River Linux 5.0.1.3 and later contain OpenSSL 1.0.1e as an optional package, the distribution default is OpenSSL 1.0.0.  OpenSSL 1.0.1e is only used if explicitly enabled via the configure option '--with-template=feature/openssl101e'.  Wind River recommends that Wind River Linux 5.x users do not override the distribution default OpenSSL 1.0.0 until a patch is available.

The hot patch is ready.

1) Updating 5.0.1.13
2) configure project with .. --with-rcpl-version=0013
3) cd project/layers/oe-core
4) git am 0001-openssl-backport-fix-for-CVE-2014-0160-5.0.1.patch

This vulnerability will be patched in Wind River Linux 5.0.1.14 scheduled for release 30APR2014.

Wind River Linux 6.0.0.x
===================
This alert confirms that Wind River Linux 6.x IS SUSCEPTIBLE to the serious CVE-2014-0160 OpenSSL vulnerability; aka "The Heartbleed Bug".  The vulnerability affects OpenSSL 1.0.1 before 1.0.1g.  Wind River Linux 6.0.0.0 through 6.0.0.5 shipped with OpenSSL 1.0.1e which is vulnerable.  Wind River recommends Wind River Linux 6.x users recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS until a patch is available.

This vulnerability will be patched in Wind River Linux 6.0.0.6 scheduled for release 30APR2014.

The hot patch is ready.

1) Updating 6.0.0.5
2) configure project with .. --with-rcpl-version=0005
3) cd project/layers/oe-core
4) git am 0001-openssl-backport-fix-for-CVE-2014-0160-6.0.patch
 

For more information please contact Wind River Support at +1-800-872-4977 or your local Wind River representative.


Live chat
Online