Subject: CVS commit: wip/trustedQSL
From: Makoto Fujiwara
Date: 2014-04-17 13:57:02
Message id: E1WakwR-0005sZ-Fb@sfs-ml-1.v29.ch3.sourceforge.com

Log Message:
(Upstream) Bump version:
-PKGNAME=               tqsl-2.0.1RC9
+PKGNAME=               tqsl-2.0.2-RC1
--- Mail from Author ---
You have likely read that there is a defect in the OpenSSL software that
can potentially cause information disclosure, including the loss of
private information such as secret keys, passwords, cookies, and so
forth.

TQSL uses the OpenSSL software to manage callsign certificates and to
sign logs. Those functions do not use the part of the OpenSSL software
that has the Heartbleed defect.

However, TQSL also uses the OpenSSL software to manage connections to
the lotw.arrl.org site for processing uploads and downloads. Those
functions DO use the part of OpenSSL that's subject to Heartbleed.

The risk posed to TQSL users is quite low. The only way that someone
could Heartbleed to attack a TQSL user would be for the attacker to set
up a rogue copy of lotw.arrl.org and somehow get a TQSL user to go there
rather than the ARRL site. That rogue site would then probe TQSL on the
user's PC, hoping to find their password. This is a pretty unlikely
attack, since the straightforward attack, if I can get you to go to a
fake site, would be to simply ask the user for the password rather than
try the unreliable Heartbleed attacks.

There's no practical attack known against client software like TQSL,
unlike the attacks against web servers that have been demonstrated. Also
note that the ONLY data that would be exposed would be TQSL information,
such as certificate passwords and secret keys. Attacking those would
take a lot of work and make no economic sense.

However, even though this is a low-risk for TQSL users, we're making an
updated beta test release available, TQSL 2.0.2-RC1, which uses the
updated OpenSSL, so that this risk can be eliminated.

This release is targeted for Windows users, since the MacOS version of
TQSL uses a version of OpenSSL which is not vulnerable to Heartbleed and
the Linux builds use the OpenSSL supplied with your Linux distribution,
which should have already been patched.

Files:
RevisionActionfile
1.49modifywip/trustedQSL/Makefile
1.29modifywip/trustedQSL/distinfo