openssl

HeartBleed vulnerability and ActivePerl

Question: 

Is my Community/Business/Enterprise Edition version of ActivePerl vulnerable to HeartBleed?

Answer: 

ActivePerl Community/Business Editions which, as shipped, are affected:
- 5.14.4.1405 - upgrade to 5.14.4.1406 (Business Edition only) or 5.16.3.1604 to fix
- 5.16.3.1603 - upgrade to 5.16.3.1604 to fix
- 5.18.1.1800 - upgrade to 5.18.2.1802 to fix
- 5.18.2.1801 - upgrade to 5.18.2.1802 to fix

Modules supplied through PPM are unaffected.
Modules compiled locally must be reviewed locally for vulnerability.

Enterprise Editions can be distinguished from Community/Business Editions by the presence of an additional fifth number before the six digit build number/version control number.
ActivePerl Enterprise Editions which, as shipped, are affected:
- 5.8.9.829.9 through 829.12
- 5.10.1.1009.9 through 1009.12
- 5.12.5.1206.2 through 1206.5
- 5.14.3.1404.2 through 1405.3
- 5.16.2.1602.2 through 1603.3

New Enterprise releases have been issued and can be located under the 2014Q1.1 folder.

HeartBleed vulnerability and ActivePython

Question: 

Is my Community/Business/Enterprise Edition version of ActivePython vulnerable to HeartBleed?

Answer: 

No Enterprise versions of ActivePython are vulnerable.

No Community/Business Edition versions of ActivePython 2.x and no Community/Business Edition versions of ActivePython 3.0, 3.1, and 3.2 are vulnerable to HeartBleed.

Only Community/Business Edition ActivePython 3.3.2.0 and 3.3.4.1 are vulnerable.
An updated 3.3 release will be needed to address the vulnerability.

ActivePython and CVE-2015-1793

Question: 

Are ActivePython releases affected by CVE-2015-1793?

Answer: 

No ActivePython releases, in any product line, are affected by CVE-2015-1793.

ActivePerl and CVE-2015-1793

Question: 

Are ActivePerl releases affected by CVE-2015-1793?

Answer: 

No ActivePerl releases, in any product line, are affected by CVE-2015-1793.

ActiveTcl and CVE-2015-1793

Question: 

Are ActiveTcl releases affected by CVE-2015-1793?

Answer: 

ActiveTcl 8.4.6.1 is affected. No other releases were shipped with the OpenSSL libraries that have the issue.

Sites where Teacup updates have installed tls versions 1.6.6, 1.6.6.1, or 1.6.7 are also affected.

Mitigation:
tls version 1.6.7.1 will be released with an updated OpenSSL library, and can be installed to patch 8.4.6.1 or replace add-on tls versions in other releases.

Alternately, there is also the option of using teacup to fall back to a tls version prior to 1.6.6 which is not affected.