The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,805 other followers

The curse of vulnerable OpenSSL DLLs

Posted by jpluimers on 2016/12/30

When you ship OpenSSL DLLs, you should provide an update mechanism outside of your regular product cycle that updates these shortly after vulnerabilities are fixed.

Few if any products do that. So I made an overview from products and OpenSSL DLL versions I had installed on various systems.

I’m a developer, so the list is biased towards tools I use often.

All of them are vulnerable: [WayBack

  • 1.0.2.h by ContinuaCI PostgreSQL and Avast 12.3
  • 1.0.2.g by SourceTree 1.9.x embedded git_local
  • 1.0.2d by Git for Windows 2.6.1
  • 1.0.2a by SQLite browser 3.7.0
  • 1.0.1m by Delphi 10.0 Seattle
  • 1.0.1l by Ruby 2.3
  • 1.0.1f by SlikSvn 1.8.5
  • 1.0.1g by Delphi XE8, Delphi XE7, VMware Workstation OVF tool and Adobe Creative Cloud 2.8.1
  • 1.0.0g by Delphi XE6, Delphi XE5, Delphi XE4, Delphi XE3, Appmethod 1.13 and CollabNet SVN Client 1.7.5
  • 1.00d by MarkdownPad 2
  • 1.0.0 by FinalBuider 7 XE2 and FinalBuilder 7 EE
  • 0.9.8za by VMware Remote Console Plug-in 5.1 and VMware Virtual Infrastructure Client 5.1
  • 0.9.8y by VMware VIX Workstation 10
  • 0.9.8t by Veaam Backup and Replication
  • 0.9.8r by ContinuaCI hg support, VMware VIX and VMware Workstation 8.0.2
  • 0.9.8q by Veeam Backup Transport, Veaam Backup, xampp 1.7.4 and Replication and VMware Virtual Infrastructure Client 5.0
  • 0.9.8o by xampp 1.7.4
  • 0.9.8l by xampp 1.7.4
  • 0.9.8n by Delphi XE2, Delphi XE and VMware VIX Workstation 7.1.0
  • 0.9.8m by VMware VMRC Plug-in, VMware VIX and VMware Workstation 8.0.2
  • 0.9.8i by VMware Virtual Infrastructure Client 4.1
  • 0.9.8d by Database Workbench Pro 4.4.3, Database Workbench Pro 5.2.4 and VMware vSphere CLI Perl
  • 0.9.8b by Adobe Creative Suite 5
  • 0.9.7m by VMware VIX server 1.0.9
  • 0.9.7l by VMware VIX VIServer 2
  • N/A by Adobe Create Suite 5 and VMware VIX server 1


via: [WayBackDoes Delphi installer install OpenSSL dll’s?

PS: Below some Software Archeology related links in the comments.

7 Responses to “The curse of vulnerable OpenSSL DLLs”

  1. Edwin Yip said

    @Jeroen, thanks for the write up. Does the vulnerabilities effect desktop programs (non-server-side software)? Thanks

    • jpluimers said

      I don’t know: I stopped using InterBase a long time ago for various reasons, the most important one the brain drain of the InterBase team.

  2. Joseph Mitzen said

    You left out one of my “favorite” examples, Interbase. When the heartbleed bug was revealed, one of Embarcadero’s never-ending supply of managers, Stephen Ball (“Stephen Ball Embarcadero Senior Product Marketing Manager (RAD) & Associate Product Manager (InterBase)”) made a short blog post about it. Fortunately Delphi Feeds has it archived for posterity (and because it’s hard to believe this really happened):

    ” I am sure many of you have seen in the news this week the well publicised vulnerability in OpenSSL that has been named Heartbleed. and InterBase is not affected by this issue. InterBase encryption uses OpenSSL version 0.9.8g (InterBase 2009), version 1.0.0a (InterBase XE) and version 1.0.0d (InterBase XE3). These editions are NOT affected by this vulnerability….”


    Both myself and Luigi Sandon independently emailed him the same day, explaining that using old versions of OpenSSL was not something to brag about and not a means of security. Worse, we each independently looked up the listed versions and discovered several unpatched security vulnerabilities! Note the irony of titling the post “OpenSSL and Interbase – all is OK”. We both had asked him to remove the mention of the specific versions being used, since they were just advertising to hackers which vulnerabilities to exploit in Interbase.

    As is usual for Stephen Ball, he never posted either myself or Luigi’s comments (many Delphi community members will attest that Ball never approves a comment that points out an error or even has a different opinion). He didn’t change the text of the post, either… at least not right away. It appears that some time later he finally did, since the post today omits the versions (with no mention the post was edited).

    I don’t care how much it riles Marco Cantu when I say it; I’d gladly trade 10 Embarcadero managers for one employee with an actual background in security… or even just one who does not have “marketing” anywhere in their job description.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: