oss-sec mailing list archives
Re: Heartbleed, clients and Android
From: Nick Kralevich <nnk () google com>
Date: Wed, 9 Apr 2014 13:01:54 -0700
On Wed, Apr 9, 2014 at 3:21 AM, Hanno Böck <hanno () hboeck de> wrote:
Because the latter would include Android. We are all pretty aware that android updates are in large parts nonexistent.I don't have much clue about Android, but I think I heard heartbeat was disabled in Android, but I don't have a link right now. Also, I'm unsure what actually use libssl in Android and what uses NSS.Seems Android disabled Heartbeat in 2012: https://android.googlesource.com/platform/external/openssl.git/+/android-4.1.2_r1 Still leaves some android versions as potentially vulnerable.
All versions of Android are immune to CVE-2014-0160, with the limited exception of Android 4.1.1. See also: http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html
Current thread:
- Heartbleed, clients and Android Hanno Böck (Apr 09)
- Re: Heartbleed, clients and Android Yves-Alexis Perez (Apr 09)
- Re: Heartbleed, clients and Android Hanno Böck (Apr 09)
- Re: Heartbleed, clients and Android Yves-Alexis Perez (Apr 09)
- Re: Heartbleed, clients and Android Nick Kralevich (Apr 09)
- Re: Heartbleed, clients and Android Eric Lacombe (Apr 09)
- Re: Heartbleed, clients and Android Hanno Böck (Apr 09)
- Re: Heartbleed, clients and Android Hanno Böck (Apr 09)
- Re: Heartbleed, clients and Android Yves-Alexis Perez (Apr 09)