If you’re a customer of ours you should have already received an e-mail with instructions on how to update products such as Mentor Embedded Linux and the Automotive Technology Platform that include OpenSSL, and in some cases versions of OpenSSL with the Heartbleed bug and vulnerability.
If you’re not an active customer of Mentor Embedded Linux or the Automotive Technology Platform or are doing your own Linux development please be aware that the security vulnerability exists in specific versions of the OpenSSL component. Affected versions include OpenSSL 1.0.2-beta, as well as all OpenSSL versions 1.0.1 through 1.0.1f. OpenSSL version 1.0.1g includes a fix to the Heartbleed vulnerability. To ensure your business is not exposed by Heartbleed, we recommend you upgrade your OpenSSL version to 1.0.1g.
Below is some additional information from Chris Hallinan on the bug and it’s impact:
By now nearly everyone has seen the news and notices about the so-called “Heartbleed” vulnerability in the OpenSSL package. Most of us realize that OpenSSL has been a fundamental part of the open source networking stack used in Linux and other operating systems. OpenSSL implements the secure sockets layer (SSL) and transport layer security (TLS) , and also provides the cryptography library used to manage public key cryptology and key agreement, certificate handling and cryptographic has functions. Of course, OpenSSL is part of Mentor Embedded Linux and is also used in other embedded software products from Mentor Graphics.
The scope of this vulnerability is unusually large, due in part to the widespread use of Linux powering the Internet, and the popularity of the OpenSSL package for secure web communication. Of the many e-mails I received announcing this bug, the most surprising was from my city council member warning about this potential security threat, and advising that relevant passwords be changed. I’m surprised they had that kind of visibility and awareness of such a situation.
As you would suspect, Mentor Graphics was all over this vulnerability. Shortly after it became widely publicized, my inbox was buzzing with plans and actions about getting the fix applied and patches posted to our support site, the award winning Mentor SupportNet at http://supportnet.mentor.com. If you are a Mentor Embedded Linux (MEL) customer, you have already been notified, and these hotfixes are already available on SupportNet for your version of MEL.
This is one very visible example of the value of partnering with a commercial embedded Linux vendor. It took a substantial effort to triage and patch the variety of product configurations and versions in which openSSL is being used. We were able to rapidly test the variety of product configurations across multiple architectures and BSPs to ensure that no other compatibility issues were discovered due to the openSSL upgrade. This particular example was highly visible due to the extensive news coverage of this event. But at Mentor Graphics, we quietly monitor for common vulnerabilities and exposures on a regular, ongoing basis. When these CVEs are found to affect our products, we rapidly triage, patch and release hotfixes as required to ensure that our products are as robust as possible.