Is LiquidFiles vulnerable to Heartbleed, Shellshock, CVE-XXX,...?
Every so often there's a new widespread vulnerability like Heartbleed, Shellshock and other problems with a CVE number. These vulnerabilities does not affect the LiquidFiles application directly but potentially the underlying operating system CentOS, which in turn follows the RedHat distribution.
So am I vulnerable?
Often we get questions like, we run LiquidFiles v2.3.4, is that version vulnerable to Heartbleed?
LiquidFiles does not work like that - specific CentOS patches are not installed by specific LiquidFiles versions.
When you update LiquidFiles, it will update to the latest available CentOS updates at the time of the update. This means that if you update LiquidFiles after CentOS/RedHat has released a patch you will be protected, regardless of specific LiquidFiles version you update to.
LiquidFiles has 4 levels of auto-update functions:
- None - Neither the LiquidFiles application or any system and security updates will be installed. If you have enabled Virus Scanning then AV signatures will still be updated.
- Auto-Update LiquidFiles Application (default) - Automatically update the LiquidFiles application as new versions are released. Together with the application updates are installed latest available system and security updates.
- Auto-Update LiquidFiles Application + System Security Updates - Autoupdates the LiquidFiles application and will also install any security updates daily basis.
- Auto-Update System Security Updates - Install security updates as above but don't automatically update the LiquidFiles application.
It is recommended that you enable at least to auto-update the Operating System & Anti Virus. This will ensure that when a security update is released by CentOS/RedHat it will be installed on your LiquidFiles system as soon as possible and keep you protected from any future issues.
To figure out when a problem has been fixed, please search for the vulnerability at the RedHat Vulnerability database: https://access.redhat.com/security/vulnerabilities
A special note on OpenSSL
The CentOS/RedHat team has a long history of patching specific vulnerabilities in OpenSSL instead of upgrading to the latest version from the OpenSSL team. This means that even if you search for a specific OpenSSL version in the LiquidFiles operating system, it is not a direct indication of the system being vulnerable or not. You still need to verify against the RedHat Vulnerability database above.