[Interest] [Development] Heartbleed Bug and Qt

Konrad Rosenbaum konrad at silmor.de
Fri Apr 11 21:25:29 CEST 2014


Hi,

On Thursday 10 April 2014, Turunen Tuukka wrote:
> Although Qt as such is not affected by the Heartbleed Bug (CVE-2014-0160)
> found in OpenSSL, it affects users of Qt and our servers, so I wanted to
> write a short summary about the topic.

Thanks for the summary.


For everybody who did not get up to speed yet, here is a little algorithm on 
what to do about your Qt applications:

* You use Qt with encrypted connections - this includes networked WebKit, 
QNetworkAccessManager with HTTPS or FTPS, QSslSocket - read on below.
 => Otherwise: You are done, go home, play with your kids, have a nice 
weekend.

* Using Linux: update your OpenSSL package using whatever standard command 
your Linux uses (apt-get upgrade, yum ...), ask your users to do the same.

* Using Windows or MacOS: download OpenSSL 1.0.1g, compile it, make your 
usual release tests (quickly!), deliver it to your customers. Urge them to 
install it immediately in case they value the data your app handles.

* Was it version 1.0.1 (or 1.0.2)? If yes: upgrade to 1.0.1g. Check the 
section below.

* Was it a version before 1.0.1? If yes: upgrade to 1.0.1g anyway, because 
your OpenSSL is really old. No need to change keys and passwords. Release it 
with your next program version. Done, join group one in enjoying your 
weekend.

If you used OpenSSL version 1.0.1 up to 1.0.1f, what to do AFTER upgrading:

* revert all secret keys that were used with your app, create new ones

=> this includes user keys and certificates!

* if you have a way of blacklisting old keys/certificates, please do so 
(something built into the program, CRL, OCSP, ...)

* ask your users to do the same if they generate their own keys with/for 
your software

* (have your users) change all passwords or other secrets that were 
transmitted using your application (if you/they reuse passwords you/they 
need to change it everywhere the same one is used)

[Enjoy the next weekend.]



	Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20140411/ba62f50c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20140411/ba62f50c/attachment.sig>


More information about the Interest mailing list