Although Qt as such is not affected by the Heartbleed Bug (CVE-2014-0160) found in OpenSSL, it affects users of Qt, so I wanted to write a short summary about the topic.

As defined at http://heartbleed.com:

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Qt as such does not include OpenSSL, but when OpenSSL is installed in the system Qt applications can use it. Thus, depending on what OpenSSL version you have in the system, your Qt based application may be affected by this vulnerability if you use OpenSSL functionality. OpenSSL versions 1.0.1 older than 1.0.1g are vulnerable. Also OpenSSL versions older than 1.0.1 are recommended to be updated to 1.0.1g, although they are not subject to this vulnerability. The fix for OpenSSL is already available, and all users of vulnerable OpenSSL versions should migrate to OpenSSL version 1.0.1g or recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

The servers of Qt Project and Digia are all updated and not affected by the vulnerability any more. Those servers that may have been affected by the vulnerability are now throughly checked and certificates will be changed. Also all Qt Cloud Services have been updated to latest OpenSSL. Similarly as all Qt users leveraging OpenSSL, the users of Qt Cloud Services client library should check that they use the fixed OpenSSL version in their applications.

We have also notified users of Qt Enterprise Embedded about the vulnerability and instructions to avoid it. Next release of the Qt Enterprise Embedded reference stack contains the fixed version of OpenSSL.

There is also a minor risk for vulnerability via the Qt Enterprise and Qt Mobile online installers, which use https communications. We are in process of updating the installers and will notify customers separately when the updated installers are available.

If you have any questions, please do not hesitate to contact Qt Enterprise support via your Qt Account or Qt Project security mailing list.

Excerpt from:  

Heartbleed Bug (CVE-2014-0160) and Qt