Yosemite ships with known vulnerable, prehistorc OpenSSL 0.9.8y
| Originator: | pepi.zawodsky | ||
| Number: | rdar://17588982 | Date Originated: | 08-Jul-2014 02:50 PM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.10 b3 |
| Classification: | Security | Reproducible: | Always |
Summary: Yosemite comes with vulnerable OpenSSL 0.9.8y Steps to Reproduce: Install Yosemite beta 3 Expected Results: Yosemite should come with the current release of security relevant software like OpenSSL. At least with the latest release of the 0.9.8 tree. Actual Results: Yosemite still ships with a prehistoric version of OpenSSL with at least 7 known vulnerabilities. Regression: OpenSSL should be upgraded to the current OpenSSL 1.0.1 release and binaries delivered with OS X should be linked against OpenSSL 1.0.1. Notes: I am aware that OpenSSL is deemed deprecated on OS X by Apple. It's also irresponsible to ship an outdated version of a security library that is used by many binaries linked against it that ship by default in OS X.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!