I think at least on Windows OpenSSL is statically linked? If so, all available versions have an afftected OpenSLL inside. -- Peter On Wed, Apr 9, 2014 at 3:25 PM, Reindl Harald <h.reindl@thelounge.net>wrote:

Am 09.04.2014 15:21, schrieb Peter Laursen:

...

A far as I understand MariaDB uses OpenSSL (unlike Oracle-MySQL that uses YaSSL).

Now what about the heartbleed bug: http://heartbleed.com/

Will all still suported MariaDB versions (5.1, 5.2, 5.3, 5.5 and 10.0 are all still suported I think?) need a release for this bug in OpenSSL?

why should they?

update openssl and restart all daemons which are linking the library and consider replace your certificates / private keys if a service using openssl was reachable from the internet

that's the idea behind shared libraries

_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp

Hi, Peter! On Apr 10, Peter Laursen wrote:

What about this http://security.stackexchange.com/questions/55249/what-clients-are-proven-to... 5.5.36 is listed).

And what about the C-API?

MariaDB 5.5.36 is vulnerable when it is built with system OpenSSL and system OpenSSL is vulnerable. Just as any executable, linked with OpenSSL. The fix is to upgrade system OpenSSL. That's why we prefer to link with system dynamic libraries, not with bundled static ones. Regards, Sergei

Am 10.04.2014 20:57, schrieb Sergei Golubchik:

Hi, Peter!

On Apr 09, Peter Laursen wrote:

...

I think at least on Windows OpenSSL is statically linked? If so, all available versions have an afftected OpenSLL inside.

In Windows builds we use YaSSL.

So far I haven't heard that YaSSL is affected by this issue, I believe that it is not.

it is for sure not affected that is a implementation specific bug of OpenSSL http://www.yassl.com/yaSSL/Home.html is a different software as well as GnuTLS and NSS