oss-sec mailing list archives

Re: Heartbleed, clients and Android

From: Nick Kralevich <nnk () google com>
Date: Wed, 9 Apr 2014 13:01:54 -0700

On Wed, Apr 9, 2014 at 3:21 AM, Hanno Böck <hanno () hboeck de> wrote:

Because the latter
would include Android. We are all pretty aware that android updates
are in large parts nonexistent.


I don't have much clue about Android, but I think I heard heartbeat
was disabled in Android, but I don't have a link right now. Also, I'm
unsure what actually use libssl in Android and what uses NSS.


Seems Android disabled Heartbeat in 2012:

https://android.googlesource.com/platform/external/openssl.git/+/android-4.1.2_r1

Still leaves some android versions as potentially vulnerable.


All versions of Android are immune to CVE-2014-0160, with the limited
exception of Android 4.1.1. See also:
http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html

Current thread:

Heartbleed, clients and Android Hanno Böck (Apr 09)
- Re: Heartbleed, clients and Android Yves-Alexis Perez (Apr 09)
  - Re: Heartbleed, clients and Android Hanno Böck (Apr 09)
    - Re: Heartbleed, clients and Android Yves-Alexis Perez (Apr 09)
    - Re: Heartbleed, clients and Android Nick Kralevich (Apr 09)
    - Re: Heartbleed, clients and Android Eric Lacombe (Apr 09)
- Re: Heartbleed, clients and Android Hanno Böck (Apr 09)