FREESCO Support

[mark]

Hi,

last year 2 major vulnerabilities popped up, Heartbleed and now recently Ghost are urging IT people to patch their systems.

Is there a danger of these vulnerabilities on FREESCO v0.4.x and if so is there a patch we can roll out?

Kind regards,

Mark

[cgscs]

On freesco 0.4.4, the command "ldd -v" yield the following result:
ldd: version 1.9.9

Hence, if I righlty understand the advisory http://www.openwall.com/lists/oss-security/2015/01/27/9, freesco is not vulnerable concerning de Ghost security threat since the glibc version is used is not affected by the vulnerability:

- The first vulnerable version of the GNU C Library is glibc-2.2,
released on November 10, 2000.

- We identified a number of factors that mitigate the impact of this
bug. In particular, we discovered that it was fixed on May 21, 2013
(between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it
was not recognized as a security threat; as a result, most stable and
long-term-support distributions were left exposed (and still are):
Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,
Ubuntu 12.04, for example.

Concerning the heartblead flaw, it concerns openssl which is there only if you did manually install it. In that case, you should check the version you installed and eventually take do whatever is necessary to patch ou install a safer verson.

Good luck.

[Lightning]

The 04x system is not vulnerable, however if you have the "bash" or "utils" packages installed it is. I have been working on the bash package and installed the current patches, but it still seems to be vulnerable at least while using the old "env" binary included in the "utils" package. You can just delete or rename the /usr/bin/env binary from the system and it will pass the tests. But I haven't found (not looked hard for) the source code for the env binary yet.

[mark]

Ok Guys, thanks already for this effort.