Thursday, April 10, 2014

Gallery Server Pro not vulnerable to Heartbleed bug

A vulnerability in OpenSSL (CVE-2014-0160) was disclosed a few days ago. It has been named the Heartbleed bug. There is a lot of concern due to its seriousness, widespread impact, and difficulty in fixing.

I just wanted to confirm that Gallery Server Pro is not vulnerable because it cannot run on the platforms where it exists. Gallery Server Pro is based on .NET and must run on IIS on a Windows Server. A blog post from Microsoft employee Ben Ari confirms that default configurations of Windows do not include OpenSSL. He writes that one *could* use OpenSSL on Windows by running the Windows version of Apache, but GSP cannot run under Apache, so this is not applicable to us.

So, no worries about the Heartbleed bug with Gallery Server Pro.

No comments: