cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

OpenSSL in Serv-U ver 15.x

The last Serv-U release notes which mention OpenSSL were from version 12.1.0.6 indicating OpenSSL 0.9.8x.


Does Serv-U version 15.x still use OpenSSL 0.9.8x or has that been updated?

I'm concerned if our Serv-U installation is affected by CVE-2014-0160, HeartBleed OpenSSL vulnerability, which is a nasty one.  OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable.

0 Kudos
5 Replies
Level 15

Hi,

as mentioned in this post Heartbleed.com - OpenSSL security concerns Serv-U is NOT affected by this bug.

Peter

0 Kudos

This is great news.  FWIW, I'm tracking managed file transfer responses to the Heartbleed crisis on my blog.

0 Kudos
Level 10

Just confirmed in my own environment that the latest version of Serv-U 15.0.1 does currently use an OpenSSL 0.9.8.24.  You can confirm this in your Serv-U installation directory.  Specifically the two file versions to check are:

  • SSLEAY32.DLL
  • LIBEAY32.DLL

Hence Serv-U is not currently effected by this HeartBleed bug mentioned here http://heartbleed.com/

0 Kudos

I just check ours with those two files and found out we're using 1.0.1e.

I run to another site https://lastpass.com/heartbleed" to test vulnerability for our site and it came out as NOT VULNERABLE.

What other steps can I verify that or system is not affected by this bug?

0 Kudos

Did you manipulate openssl installation within Serv-U? As it should not be version 1.0.1e. What is the location of those files you are checking?

0 Kudos