HeartBleed vulnerability and ActiveTcl

Posted by grahams on 2014-04-09 11:59
Question: 

Is my version of Community/Business/Enterprise Edition ActiveTcl vulnerable to Heartbleed?

Answer: 

From a running tclsh:

%package require tls

The version of tls will be reported. Interpreters running tls 1.6.2 and 1.6.3 are vulnerable. Some installations of tls 1.6.1 are also vulnerable, depending on the age of the module. v1.6.1 carrying a timestamp newer than Feb 2012 (TeaPOT version is affected) are vulnerable,

Unless the tls module has been locally updated,
- Enterprise ActiveTcls shipped before 2012Q2 are unaffected,
- Community/Business Edition ActiveTcl 8.4.19.5 and older are unaffected,
- Community/Business Edition ActiveTcl 8.5.11.0 and older are unaffected,
- Community/Business Edition ActiveTcl 8.6.0.0b6 and older are unaffected

You can mitigate for HeartBleed using the TEApot service.

teacup install tls -exact 1.6.3.1