Opera v12 and the HeartBleed OpenSSL vulnerability: will there be an update?

  • Should we expect an update for Opera v12 regarding this OpenSSL issue?

  • I think no.
    AFAIK, the OpenSSL version used in Opera v12 is not concerned by the HeartBleed.

    Edit : In fact yes, because of the Auto-Upddater - see QuHno's post

  • Will ever be any update for O12 :huh:

  • @rale.djurdan:

    Will ever be any update for O12 :huh:

    Here's Opera ASA's take on the issue http://blogs.opera.com/security/2014/04/heartbleed-heartaches/ There will be an update.

    Read this too http://blogs.opera.com/news/2014/04/protect-yourself-from-the-heartbleed-bug/

    Also, all major Linux distros seem to have issued updates to openssl package a day or two ago. I have no clue what the updates for Linux do, but they are there.

  • New release is out, (currentlty) without any communication.

  • Not really sure, what that means, since there is no changelog for it. But i'll try it anyway, can't be worse that new Opera.

  • I tried it. There is still that Google "feature". Meaning, You can't delete Google as search engine and use speed dial search. I think I'll revert Opera to last good version 12.14

  • Also, without any communication, it's only for Win http://ftp.opera.com/pub/opera/win/ not for Linux http://ftp.opera.com/pub/opera/linux/

  • Also no Mac version - yet.

    As far as it goes, Heartbleed was a server issue. Opera is not a server so it shouldn't matter. Theoretically anyway.

  • Opera <15 itself is not vulnerable to Heartbleed simply because it uses an openSSL version that does not have the Heartbeat implementation compiled in.

    The only insecure part was the automatic updater, which indeed used a vulnerable version of openSSL and that was, what was addressed with the update. I don't know if the Linux version needs the openSSL library as part of the Opera distributtion because the normal Linux package and MacOSX come with their own openSSL implementation, so it would be up to the OS to provide a secure variant (1.0.1g as of today).

    About Heartbleed being no problem for a client:
    That is not entirely true. If you visit a Website that is secured by a TLS connection that can use Heartbeat, the server can reverse attack you exactly the same way as a client can attack the server - provided it is a hacked server or one deliberately set up by some crooks.

    A vulnerable OpenSSL implementation at the client side will happily provide the same last 64 kByte of the SSL stack no mater where it is running. The server could grab almost everything that is on the stack, if it only probes often enough via the connection you have opened by yourself by visiting the site (meaning: your FW will let it through because it is a user initiated connection done by an allowed software, aka "the browser").

    In the end that could mean that the server could grab all of the information that is on the stack no matter if it is in the same tab or in other tabs where you have a SSL connection open because normally there is only "one stack to rule them all" (AFAIK - don't sue me about that). In that stack there might be session cookies or other stuff you do not want to go to other pages.

    (Golden rule for online banking and other critical stuff: Close all other connections before, then start a clean browser with no tabs open and then go directly to your banking site.)

  • Vivaldi Team

    There is now blog post with details.

  • Vivaldi Translator

    They certainly don't want us using alternative versions.
    Finding the complete list is not as easy as it was. I used to just use the link at the bottom of the site.
    This has always been the only way to get the 64bit versions

  • For some time, I had to look at the Linux versions to be able to find the link. Mind you, I've taken to just posting the FTP server's address and letting people get the version they want from there …

Log in to reply

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.