oss-sec mailing list archives

Re: Heartbleed, clients and Android

From: Eric Lacombe <goretux () gmail com>
Date: Wed, 09 Apr 2014 23:45:44 +0200

Hi,

Le mercredi 9 avril 2014 12:21:29, Hanno Böck a écrit :
[...]

Because the latter
would include Android. We are all pretty aware that android updates
are in large parts nonexistent.


I don't have much clue about Android, but I think I heard heartbeat
was disabled in Android, but I don't have a link right now. Also, I'm
unsure what actually use libssl in Android and what uses NSS.


Seems Android disabled Heartbeat in 2012:
https://android.googlesource.com/platform/external/openssl.git/+/android-4.1
.2_r1

Still leaves some android versions as potentially vulnerable.


A recent post from Google security blog

http://googleonlinesecurity.blogspot.fr/2014/04/google-services-updated-to-address.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:
+GoogleOnlineSecurityBlog+(Google+Online+Security+Blog)

Regards,

        Eric

Current thread:

Heartbleed, clients and Android Hanno Böck (Apr 09)
- Re: Heartbleed, clients and Android Yves-Alexis Perez (Apr 09)
  - Re: Heartbleed, clients and Android Hanno Böck (Apr 09)
    - Re: Heartbleed, clients and Android Yves-Alexis Perez (Apr 09)
    - Re: Heartbleed, clients and Android Nick Kralevich (Apr 09)
    - Re: Heartbleed, clients and Android Eric Lacombe (Apr 09)
- Re: Heartbleed, clients and Android Hanno Böck (Apr 09)