Heartbleed bug and Mavrick

Similar Messages

• Does the Heartbleed Bug affect macs?

  I have been hearing about the heartbleed bug and just wondering if it is affecting Apple products?

  The Heartbleed issue is a server, not a client, issue. In short, yes, it doesn't matter what you are running to connect to a site, the issue lies in what the server has installed for SSL. But the risk is not in infecting your Mac as much as stealing your login and other information.
  This might help you to understand what is happening: http://tidbits.com/article/14662?rss&utm_source=feedburner&utm_medium=feed&utm_c ampaign=Feed%3A+tidbits_main+%28TidBITS%3A+Mac+News+for+the+Rest+of+Us%29

• Does the SCCM updates manager use OpenSSL, and is it vulnerable to the Heartbleed bug?

  I'm 99.99% positive I know the answer, but my boss wants to know for SURE. Does the SCCM updates manager use OpenSSL, and is it vulnerable to the Heartbleed bug?
  Thank you for appeasing him.

  I must be misunderstanding something here. Would you please help me understand why this isn't answerable here? How does this have anything to do w/ our TAM? SCCM is SCCM regardless of where we got it, right? I'm quite perplexed, so thank you for
  clearing this up.
  My guess is liability. What if we're wrong? Very few people who frequent these forums are actual Microsoft employees.
  If you want a 'for sure' answer, you're best off contacting Microsoft directly IMHO.
  Don't retire TechNet! -
  (Don't give up yet - 12,830+ strong and growing)

• PI and the Heartbleed bug

  Hi all PI experts.
  Does anyone know if we (using SAP PI) are affected by the heartbleed bug for openSSL? Or where to find information about which versions of PI that can be affected by this?
  Regards,
  /Anna

  Just got a reply from SAP that their Product Security Response Team are currently working on the issue and that they will publish information when they have any to give.
  /Anna

• What should Mac users do about the Heartbleed bug?

  I've been reading about this new Heartbleed bug where you should change all your passwords. It seems these days that quite frequently something like this appears, and the first thing they tell you is to change all your passwords. I would just like to know from someone who knows what they are talking about how Mac devices are affected by Heartbleed. do I need to make a mad dash to change all my passwords?

  The short answer to your first question is - if you're worried, change your password. Better safe than sorry. If it's just a few sites, it shouldn't be too onerous a task, hopefully.
  Gaining access to one site does not allow an intruder to access other sites.
  When you say "log into" Youtube or Google - just to clarify:
  - If you use your web browser to go to youtube.com, and view videos, or you go to google.com, and do a search for something, technically you're not logging in. You're just visiting. This poses no risk to you.
  - However, if you go to youtube.com, or google.com, and click "Sign in", and enter a user name (usually an email address) and password, then you're logging in, and your password and other information may be at risk.
  When you visit Google, look at the very top of the screen. If you see your name there, you're signed in, and you DO have a Google account. If you don't, you're not signed in, and from what you say, you probably don't have a Google account.
  The only way that email might be affected is if you regularly access your email through the web (ie, you log onto http://comcast.net), and your mail host (Comcast) tells you that they were susceptible to Heartbleed. Accessing mail through a mail application (the Mail app on your Mac, for example) is not affected by this issue. It's really all about websites. Most applications, such as iTunes, are not affected. (I say "most" because some may have used OpenSSL to access services, or are linked to sites which use OpenSSL - such as Dropbox.)
  Matt

• Is there a fix for the Heartbleed bug for iMac, iPad, iPod?

  I just read an article that Google has come out with a fix for PC users to download so they will not be affected by the Heartbleed bug.  I was wondering if Apple has come out with a security fix of their own yet?  

  MsAnnieB2 wrote:
  I just read an article that Google has come out with a fix for PC users to download so they will not be affected by the Heartbleed bug.
  I've searched for this on Google, but have not found anything. Can you tell me more? If they have found a solution for PC's then there is a good chance it can be made to work with Macs.
  I was wondering if Apple has come out with a security fix of their own yet?  
  Although the information you were given is the best available at this time, it really don't feel it adequately answered your question.
  As far as I have been able to find out, all computer users are equally impacted by this issue and there is no way to protect yourself other than to stay off of secure sites until they have told you they are safe. Don't even go onto those sites to change your password until you know that they are safe.

• Heartbleed bug in Relay Server

  According to http://service.sap.com/sap/support/notes/2007688 the Heartbleed bug has been fixed for the corresponding products.
  I did not find anything explicitly mentioning the Relay Server in the release notes.
  So for clarification: has the Relay Server been fixed too? And if so I would like to know as of which version.
  In SMP 3.0 SP03 PL01 and in SMP 2.3 SP04 PL01 (I only took a look at those 2) there is a Relay Server included. Does this Version of the Relay Server include the fix for the Heartbleed bug?
  Thanks,
  Klaus

  Hi Klaus,
  The version indicated in that note include fixes for all the components.  In this case, utilizing the Relay Server version included with SMP 3.0 SP03 PL01 & SMP 2.3 SP04 PL01 will include patches for the Heartbleed issue.
  As a side note, the Relay Server is part of the SQL Anywhere platform so we can also use those value from the note as well.  The SP level can be a bit difficult to compare against your actual version but you can use the following:
  SQL Anywhere 16.0.0 SP 11 - > 16.0.0.1824  (This is the version shipped with SMP 2.3 SP04 PL01)
  Hope this helps,
  Edgar

• Do I need to take any action over the Heartbleed bug?

  Do I need to take any action over the Heartbleed bug?

  You can use this website test the sites, like banking sites, for protection to the Heartbeat issue: Qualys SSL Labs - Projects / SSL Server Test.
  Just enter the URL of the site and it will test it for compliance.
  OT

• Are any versions of Firefox susceptable to Heartbleed bug CVE-2014-0160 ?

  Do any versions of Firefox use OpenSSL?
  if so, which versions of Firefox would be vulnerable to the Heartbleed bug CVE-2014-0160 that has recently been identified.
  As covered in:
  http://heartbleed.com/
  http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

  An interesting article on the Heartbleed vulnerability and its probable extent
  * http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/

• "Heartbleed" bug in OpenSSL

  I've just been reading about "heartbleed", which is a bug that has existed in OpenSSL for two years.  This makes our passwords and other information, including content, susceptible to being uncovered.  Is the icloud.com site secure at risk?  I tested the site with a tool provided by lifehacker.com and it showed there was a problem.  I have tested other sites and they came back with secure result.
  Anyone know anything about this?  I'm concerned that all my email etc can possibly be vulnerable.
  Thanks
  Melissa

  In addition to what we all think of as servers, a variety of other Mac and iOS apps are potentially vulnerable. Why? Because many apps user "server-like" features. For example: using POP3, IMAP or SMTP protocols.
  A good example of an iTunes App Store app that has been vulnerable is FileMaker Go 13, along with other FileMaker versions for OSx.
  Any user of the following FileMaker application versions needs to be aware that their secure data may have been compromised. They need to read the notice I've linked below, consider whether they have made use of the noted features, and determine if their use may have compromised sensitive information. If so, they need to not only update their copy of FileMaker, but also regenerate sensitive information as recommended by CERT (in the bottom link below.)
  http://help.filemaker.com/app/answers/detail/a_id/13384/~/filemaker-products-and -the-heartbleed-bug
  FileMaker Go 13 https://itunes.apple.com/us/app/filemaker-go-13/id675292600
  FileMaker Server 13 (Sold by Apple but not in App Store)
  FileMaker Pro 13, FileMaker Pro 13 Advanced (Sold by Apple but never officially in the App store)
  The very nature of the HeartBleed bug is such that any app that was ever vulnerable to HeartBleed must be properly addressed. See the official CERT HeartBleed Bug announcement (http://www.kb.cert.org/vuls/id/720951): "Any system that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items. Old keys should be revoked."
  Blessings,
  Pete
  (PS, I am setting up a test environment to discover which of the Apps I own are vulnerable. I hope to report back before too long.)

• Verizon Router & the Heartbleed bug

  Is my router's firmware up to date as per the Heartbleed bug? Apple had to update its AirPort routers firmware, so is my Verizon router secure? Anyone know or can help?
  My question stems from the CNNMoney article...
  money.cnn.com/2014/04/24/technology/security/heartbleed-security/index.html?iid=Lead
  So I figured to ask and the "Ask Verizon" auto agent is useless for questions like this. thx

  I've asked someone in-the-know at Verizon, and they have indicated the FiOS routers do not suffer from the Heartbleed bug.
  ========
  The first to bring me 1Gbps Fiber for $30/m wins!

• BUGS and FEATURES REQUESTED. Please add to it.

  I've been using the z10 for the past couple weeks and wanted to start a thread of comprehensive Bugs and Features Requested.
  I've labeled Bugs by letters (A,B,C...) and Features Requested by numbers (1, 2, 3...) so that others can add sequentially.
  BUGS
  (Not listed in any particular order)
  (A.) Contact App adds current date as birthday. When I edit my contact, the current date gets listed as the birthday in local contact.
  (B.) Duplicate telephone numbers listed. Telephone numbers show up twice in my Contacts (e.g.., if I have the contact's cell saved in (000) 123-4567 format and the person has the number listed in Facebook, I get a duplicate entry of +10001234567).
  (C.) Telephone numbers and emails are not actionable in Web pages. In webpages, I can't click on telephone number to call (e.g., I look up a phone number for a restaurant). I should be able to easily call or copy into the Phone App or E-mail App.
  (D.) Auto capitulation for words on the word substitution list is wrong. For example, when the word substitution contains more than one word. I have "ru" change to "are you" but if the first letter is capitalized (R) then both words become capitalized words (Are You). I used to have shortcuts like "mysig" to create email signatures with legal disclaimers but I can't do that now.
  (E.) Backspace delete doesn't work consistently. The Shift+Delete function seems only to work after moving the cursor. This feature is the Alt+Del action to delete words after the cursor.
  (F.) All Emoticons do not list. Emoticons do not all fit on the the two screens (lists) of emoticons. I.e., two columns are missing from view and can be seen when sliding (swiping) between the lists. Also, sometimes when I select an emoticon, it doesn't correspond with the picture of the one I intended. I believe this error is related. As a separate note, there should be a way to see the underlying symbols of the emoticon. (Often times, other people don't have BlackBerrys so I'd like to know what symbols would be sent--my prior 9800 would show the characters as i scrolled through them).
  (G.) BlackBerry keyboard doesn't always work in input fields. E.g., certain Web pages. (I found a work around; two finger swipe up from the bottom makes the keyboard appear)
  (H.) Sent messages stay unread. This seems to be an issue when an app sends an email (e.g., share article). The email with the sent indicator (checkmark) stays bold and I have listed 1 unread email. I can't mark as read/unread but if I delete the sent email, my unread message gets cleared.
  (I.) Contact already added but I get the option to add instead of view contact. For some contacts, I get the option to add to contacts in the action menu cascade when that person is already in my address book. This bug is for emails and text messages.
  (J.) Cannot call from text message. When I hold a text message and select call under the action menu cascade, the OS opens up the phone app but doesn't call.
  (K.) Composing messages by name. When composting messages, the input must be by first, middle and last name. It should be, instead, by string and include nickname. E.g., if the person's name is "Andrew B. Cameron" I must type the name in as such. I can't type in "Andrew Cameron" or "Andy Cameron."
  Features Requested and Suggestions for Improved User Experience
  (In no particular order)
  1)      Option to reply in different ways from the Call List. Be able to select a name in a call list and have options to call, text or email the person. The action menu allows calls to other numbers but I can't choose to text or email the contact instead. Sometimes, I missed a call and want to reply via text because I’m not able to talk. (Long hold on the Torch 9800 trackpad button brought up the action menu allowing me to call, text, view history, add to speed dial, e-mail, delete, etc.)
  2)      Option to reply in different ways from the Hub. Related to above, when selecting an item in the hub, have the option to contact the sender or caller with multiple different ways.
  3)      Only show number once in contacts application. Tap on the number to bring up the "action" cascade menu with options to call or text the number. Why is the same number listed twice (once to call and below again to text it)?
  4)      Timestamps for individual text messages. I can't tell exact time on individual text message if it comes in near the time of another text. All messages are in one "bubble."
  5)      Ability to select MMS or text for a message. Sometimes I write a text longer than 160 characters and I prefer it to be sent in one message (i.e., MMS mode) rather than being broken into one or more standard text messages. I had this ability with my 9800.
  6)      Send button should be moved for text messages!!! Why the heck is it right underneath the delete button?!? Or next to the period button? I often times have accidentally hit send when composing text. It's very annoying and embarrassing. (Also, what happened to the ability to hit enter for a return carriage to next line?)
  7)      Bigger magnifying glass. My finger is often over the area I need to place the cursor. I find it difficult and erratic to place the cursor.
  8)      Select all option. Add the option to select all text in action menu cascade.
  9)      E-mail recipients and message headers. Difficult to tell if you are one of many email recipients. Can we have a way to pull the email down to see the list of recipients rather than have to click to expand the header info? I know this request is a little picky, but that's how it was done in the previous BlackBerry OS which I preferred; it is easier and faster to pull the e-mail down and 'peek' to see which e-mail box received the message, message status, from and to fields. This change would be consistent with BB's flow/peek rather than click.
  10)   Browser navigation. Hold down back arrow to get a list of recently visited websites similar to a desktop browser.
  11)   Dark/Night mode. A night mode (maybe in the drop down menu) to change all the white and bright backgrounds to black or dark which would be helpful when reading/viewing things at night in bed/etc.
  12)   Number of contacts. Ability to see how many contacts I have.
  13)   What happened to groups or categories? I'd like to have back the ability to filter or see categories and also a way to contact everyone in a category. E.g., family or friends or coworkers, etc.
  14)   Shutter sound mute. I was at a wedding and wanted to take pictures during the ceremony but the shutter would was too loud.
  15)   East Asian Language Input. I bought my parents two Samsung Galaxy S3 phones over the weekend because they need Korean input (and the Kakao talk app). (BTW, S3 is a great phone but I prefer the Z10 after having the weekend to use the Android phones).
  16)   Ability to freely place icons on the homesreen. Currently, icons are forced top left-right-to-bottom. I prefer to space my icons out.
  17)   Add a contact to the homescreen. I'd like to place a shortcut (similar to a Webpage) to the homescreen for a contact which will open up the contact. Android allows this feature and so did my previous 9800.
  18)   Search Contacts by nickname. The contacts app doesn't allow me to search by, e.g., Andy, even if I have that as my contact's nickname. The previous OS allowed this type of search which was very helpful.
  Finally, as a note, I've been using the BlackBerry Z10 for the past 2 weeks and it's a great platform. I just bought two Samsung Galaxy S3 phones over the weekend for my parents so they could use the Korean language input and related features so I spent a lot of time with the Android platform, setting it up and teaching them how to use it. The S3 is a great phone too.
  I prefer, however, the way BlackBerry has done their OS 10 and the integrated management of messages.
  It's too bad that BB doesn't have Korean input and apps like Kakao Talk or I would have considered it for them.
  The BlackBerry 10 is a great platform and I look forward to the continual improvements that will only make the experience better.

  This is a great post.
  I couldn't have written it myself better.
  I'm also in dying need of Korean input as I can't communicate with my Korean friends.
  But I second every point.
  I hope the tech teams are reading this.

• As a Mac user, what action do I take in relation to the Heartbleed bug?

  As a Mac user, what action do I take in relation to the Heartbleed bug?

  None except don't visit servers that have not updated their openssl server.

• When I enable imatch on my iPhone 4s it takes approximately 30 minutes before other data fills 13.2gb of usable data. This problem does not occur when I manually sync music to my phone. Is this a common bug, and if so; is there a fix?

  When I enable imatch on my iPhone 4s it takes approximately 30 minutes before other data fills 13.2gb of usable data on the phone. This problem does not occur when I manually sync music to my phone only when I access imatch. Is this a common bug, and if so; is there a fix?

  yes it is. you can sign out of itunes account then sign back in. use http://support.apple.com/kb/ht1311 to sign out.

• Java PDK Bugs and Issues

  Here are some bugs and issues I've run across using the JPDK that I thought other
  developers should be aware of. The following information comes from using JPDK
  1.1 with Oracle Portal Version 3.0.6.3.3 Early Adopter on Windows 2000.
  1) Do not use a colon character (':') in the String value returned by the method getTitle( Locale l ) in the class Portlet. Registering the provider will appear to succeed, but when you view the Portlet Repository you will get the following error message:
  An Unhandled Exception has occurred. ORA-06502: PL/SQL: numeric or value error:
  character to number conversion error
  Your provider and its portlets will not appear in the Portlet Repository when this error occurs.
  Perhaps other characters will cause this error as well.
  2) The Provider class method initSession() is supposed to propagate the array of returned Cookies back to the browser. The Cookies are never propagated to the browser. This is a huge road-block for our application and we need to have this problem fixed as there is no workaround.
  3) There is a limit to the number of portlets you can have per provider. I initially wrote a provider class that managed 19 portlet classes. However, after registering the provider only 17 portlet classes were loaded by the provider and/or displayed by the Portlet Repository. I had to create a second provider to manage additional portlets. The second provider worked out fine for me because I have 5 portlets that are for "administrator" users only. Moving these portlets left 14 portlets for the first provider to manage.
  Note: I don't know if this error occurs using the provider.xml method of implementing a provider and its portlets. My provider and portlets are implemented directly using the Java class API's.
  4) Sometimes I will receive the error "Meta data missing for portlet ID=<number>" when a portlet is rendered for the first time. This error does not occur often but when the error happens two conditions are met:
  a) The portlet is being rendered for the first time
  b) The HTTP and Web Assistant NT services have recently been started.
  This error is obviously caused by some timeout but increasing the timeout values
  for both the provider and the portlet has no effect. This error may be restricted to the NT platform.
  The following notes are not bugs but issues to be aware of:
  1) Make sure you have the "sessiontimeout" parameter defined when declaring the initArgs of a servlet in the zone.properties file and you intend to register your provider with a "Login Frequency" of "Once per User Session". For example:
  servlet.urlservlet.initArgs=debuglevel=1,sessiontimeout=1800000
  If you leave off the session timeout, Oracle Portal will call your provider's initSession() method for every request constantly generating new a session ID.
  2) Currently there is no means to check whether a ProviderUser has administrative
  privileges. This feature would be extremely helpful for restricting which portlets a user has access to when the provider's getPortlets() method is called.
  3) Currently there is no Java API for storing user and global preferences in the
  Oracle database. The JPDK provides a PersonalizationManager class but the method
  of storing the preferences needs to be implemented by the developer.
  The default Personalization Manager persists user preferences as a file
  to disk. However, this method opens up security holes and hinders scaleability.
  We got around the security and scalability issues by using Oracle's JDBC
  driver to persist user and global preferences to custom tables in the underlying Oracle database.
  I would appreciate hearing from anyone who has run across the cookie propagation issue and has any further insights.
  Thanks...
  Dave White
  null

  David,
  Thank you for your feedback on the JPDK. The information you provide helps us understand how customers are using 9iAS
  Portal and its development kits. I apologize for the delay in getting back with you. Since you are using the Early Adopters
  release, we wanted to test a few of the bugs and issues on the production release of 9iAS Portal.
  1) Using a colon character (:) in the String value returned by the method getTitle(Locale l) returned the ORA-06502 error is a
  known issue. This issue actually occurs within 9iAS Portal and should be resolved in the first maintenance release scheduled
  for 9iAS Portal.
  Waiting on reply from Nilay on #1
  2) The Provider class method initSession() not propagating the array of returned cookies back to the browser is an issue that we are currently working on. This bug has been fixed for most cases in the first maintenance release. A 100% fix of this issue is still being worked on.
  3) The limit to the number of portlets you can have per provider was an issue in the Early Adopter release, but is no longer an issue with 9iAS Portal production. Upgrade to the production release and you should no longer see this problem.
  4) The error "Meta data missing for portlet ID=<number>". I have not seen or heard about others receiving this same message. For this error, can you upgrade to the production version and let me know if you still receive this error message. At that time we can check for differences within the configuration.
  Not bug, but issues......
  1) You have made a good point with the sessiontimeout parameter. The JPDK uses servlet 2.0 APIs which does not provide access to the sessiontimeout. Currently, you will need to specify the sessiontimeout parameter in the zone.properties file.
  2) This is true. Currently there is no means to check whether a ProviderUser has administrative privileges. This is on our features list for future enhancements.
  3) This is also true. The DefaultPortletPersonalizationManager was created as a default runtime for developers not used to writing portlet code. It allows developers to write portlet code without concentrating on the underlying framework. Once a developer becomes more experienced with the JPDK and portlet environment, we encourage them to create their own
  customization manager. This includes changing how the portlet repository is stored or changing how the user customization is
  handled and where it is stored. You have no limitations as long as you follow the guidelines of the PortletPersonalizationManager interface.
  I hope this information helped. Again, we appreciate and welcome this type of feedback, it helps us not only locate bugs and issues, but also helps prioritize our enhancement list.
  Sue