[Interest] [Development] Heartbleed Bug and Qt
Konrad Rosenbaum
konrad at silmor.de
Fri Apr 11 21:25:29 CEST 2014
Hi,
On Thursday 10 April 2014, Turunen Tuukka wrote:
> Although Qt as such is not affected by the Heartbleed Bug (CVE-2014-0160)
> found in OpenSSL, it affects users of Qt and our servers, so I wanted to
> write a short summary about the topic.
Thanks for the summary.
For everybody who did not get up to speed yet, here is a little algorithm on
what to do about your Qt applications:
* You use Qt with encrypted connections - this includes networked WebKit,
QNetworkAccessManager with HTTPS or FTPS, QSslSocket - read on below.
=> Otherwise: You are done, go home, play with your kids, have a nice
weekend.
* Using Linux: update your OpenSSL package using whatever standard command
your Linux uses (apt-get upgrade, yum ...), ask your users to do the same.
* Using Windows or MacOS: download OpenSSL 1.0.1g, compile it, make your
usual release tests (quickly!), deliver it to your customers. Urge them to
install it immediately in case they value the data your app handles.
* Was it version 1.0.1 (or 1.0.2)? If yes: upgrade to 1.0.1g. Check the
section below.
* Was it a version before 1.0.1? If yes: upgrade to 1.0.1g anyway, because
your OpenSSL is really old. No need to change keys and passwords. Release it
with your next program version. Done, join group one in enjoying your
weekend.
If you used OpenSSL version 1.0.1 up to 1.0.1f, what to do AFTER upgrading:
* revert all secret keys that were used with your app, create new ones
=> this includes user keys and certificates!
* if you have a way of blacklisting old keys/certificates, please do so
(something built into the program, CRL, OCSP, ...)
* ask your users to do the same if they generate their own keys with/for
your software
* (have your users) change all passwords or other secrets that were
transmitted using your application (if you/they reuse passwords you/they
need to change it everywhere the same one is used)
[Enjoy the next weekend.]
Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20140411/ba62f50c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20140411/ba62f50c/attachment.sig>
More information about the Interest
mailing list