Print

Orion Consulting Statement on the 'Heartbleed' Bug

2014-04-11

On April 7th 2014, it was announced that some versions of the OpenSSL security software had a severe bug, which could potentially allow sensitive data stored on a server to be revealed to 3rd parties. This is a major bug in a widely-used piece of software, which has made national headlines and affected many companies and individuals; a good explanation of the bug is available on the Wikipedia page: http://en.wikipedia.org/wiki/Heartbleed

PathFinder uses the OpenSSL library for all secure communications, as well as certificate handling, encryption, digital signing, etc.

However, we are pleased to say that the version of OpenSSL we currently use pre-dates this bug – in other words, PathFinder is not affected by it.  PathFinder currently uses OpenSSL version 1.0.0a – the bug was not introduced until 1.0.1a.

The developers of OpenSSL released a fixed version of OpenSSL (1.0.1g) on the day the bug was made known (i.e. Monday 7th April). However, we will NOT be upgrading to that version at this time. We have a long-standing policy of deliberately staying on slightly older, stable versions of libraries, particularly critical libraries such as OpenSSL. This is partly the reason we have not been affected by this bug in the first place.  We do not believe that being on a 'bleeding edge' version of the library would bring any benefits, and there is the risk that other instability or bugs could have been introduced.

We will review the versions of OpenSSL on offer when preparing the next major PathFinder release, and will of course have time to make a balanced assessment based on testing at that point.

For now, we remain on version 1.0.0.a, which is stable, known, and (once again) not affected by the Heartbleed bug.

If you have any concerns or would like more information, please do not hesitate to contact us.


Tom Reader

Director

Orion Consulting Limited

2014-04-11