Is LiquidFiles vulnerable to Heartbleed, Shellshock, CVE-XXX,...?
Every so often there's a new widespread vulnerability like Heartbleed, Shellshock and other problems with a CVE number. These vulnerabilities does not affect the LiquidFiles application directly but potentially the underlying operating system CentOS, which in turn follows the RedHat distribution.
So am I vulnerable?
Often we get questions like, we run LiquidFiles v2.3.4, is that version vulnerable to Heartbleed?
LiquidFiles does not work like that - specific CentOS patches are not installed by specific LiquidFiles versions.
When you update LiquidFiles, it will update to the latest available CentOS updates at the time of the update. This means that if you update LiquidFiles after CentOS/RedHat has released a patch you will be protected, regardless of specific LiquidFiles version you update to.
LiquidFiles has 3 levels of auto-update functions:
- Auto-Update LiquidFiles, Operating System & Anti Virus
- Auto-Update Operating System & Anti Virus
- Auto-Update Antivirus
It is recommended that you enable at least to auto-update the Operating System & Anti Virus. This will ensure that when a security update is released by CentOS/RedHat it will be installed on your LiquidFiles system as soon as possible and keep you protected from any future issues.
To figure out when a problem has been fixed, please search for the vulnerability at the RedHat Vulnerability database: https://access.redhat.com/security/vulnerabilities
A special note on OpenSSL
The CentOS/RedHat team has a long history of patching specific vulnerabilities in OpenSSL instead of upgrading to the latest version from the OpenSSL team. This means that even if you search for a specific OpenSSL version in the LiquidFiles operating system, it is not a direct indication of the system being vulnerable or not. You still need to verify against the RedHat Vulnerability database above.