+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: General topics (/forumdisplay.php?fid=15)
+--- Thread: OpenSSL/Heartbleed & OpenVPN/OpenSSL in phones (/showthread.php?tid=1568)
OpenSSL/Heartbleed & OpenVPN/OpenSSL in phones - jasonjayr - 04-15-2014 12:26 AM
Has Yealink made a statement regarding the OpenSSL/Heartbleed TLS issue? We use OpenVPN on our T26 & T28 phones and I know the version on our PC's needed updating.
If folks haven't heard about it, check out http://heartbleed.com. This was a very serious vulnerability in OpenSSL that was broken for almost 2 years.
Is there a firmware upgrade necessary or in the works?
Thanks
RE: OpenSSL/Heartbleed & OpenVPN/OpenSSL in phones - Yealink Support - 04-15-2014 09:54 AM
I think you should upgrade the version of OpenSSL but not Yealink phones.
RE: OpenSSL/Heartbleed & OpenVPN/OpenSSL in phones - jcvh - 04-16-2014 12:49 AM
Is that all?
Guys, are you even taking this seriously enough? Can you elaborate a little?
At least, (imho) you should make an statement regarding what version of OpenSSL, OpenVPN, and whatever https server are you using in the diverse firmwares of your phones, so we can know for sure if can we be affecetd or not.
Given the case, the phones may leak the admin password of the phone, and/or the SIP credentials, anyone of the two serious enough, if you ask me.
In the other hand, i have been checking some terminals with the latest firmware, and the https part seems to be fine, at least.
Regards!
RE: OpenSSL/Heartbleed & OpenVPN/OpenSSL in phones - Yealink Support - 04-16-2014 12:18 PM
Hi jcvh,
Thanks to your opinions. I have submitted your request to our product department.
RE: OpenSSL/Heartbleed & OpenVPN/OpenSSL in phones - Yealink Support - 04-18-2014 05:04 PM
[Announcement]Yealink Heartbleed Security Advisory