OpenSSL 0.9.8 vulnerability not patched in OS X
| Originator: | pepi.zawodsky | ||
| Number: | rdar://17176373 | Date Originated: | 05-Jun-2014 04:32 PM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | Any |
| Classification: | Security | Reproducible: | Always |
Summary: 2014-06-05 an OpenSSL security advisory was published: https://www.openssl.org/news/secadv_20140605.txt OS X ships with vulnerable OpenSSL versions and many many binaries linked against OpenSSL leaving OS X and OS X server vulnerable to many of the CVEs. This affects OS X from at least 10.6 on including the current 10.9.3 client and server versions. Steps to Reproduce: n/a OS X ships with known vulnerable OpenSSL versions and many binaries linked against it. Expected Results: Apple must release an update patch to update the vulnerable OpenSSL versions. Actual Results: No Update from Apple is available yet leaving any OS X vulnerable. Regression: I have not checked OS X versions before 10.6.8 server.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!