April 22, 2014

Heartbleed Vulnerability Update: Patched Perforce Clients Now Available

Healthcare

In response to the Heartbleed vulnerability in OpenSSL, an open-source implementation of the Secure Sockets Layer (SSL) protocol, we released patched versions of our impacted server products on April 10. This week we have released the 2014.1 versions of our clients which have been patched to address the Heartbleed issue. The 2014.1 clients are backwards compatible with previous server releases.

Who’s Impacted?

In our blog post on April 10, we detailed the impact this SSL vulnerability had on Perforce server products. Upon further investigation into the extent of the Heartbleed vulnerability, we have now patched the 2014.1 releases of our client products, including P4V (visual client), P4 (command line client), P4VS (plugin for Visual Studio), P4FTP (FTP client), and P4GT (graphical tools plugin).

If you utilize a vulnerable SSL client to connect to a legitimate Perforce server, a third party could conceivably steal sensitive data from your client such as recently viewed job or change descriptions, password hashes, passwords, tickets, etc.

Updates Now Available

If you are utilizing SSL, older client releases have security vulnerabilities. We recommend that our customers install the 2014.1 versions of our clients now available from the Perforce website:

Patched versions of all affected server releases are now available from the Perforce website. To get patched binaries for older (pre-2014.1) server releases, please select the appropriate version number from the drop-down menu. You can also receive these patched binaries from our FTP site:

Optionally for the OVAs, simply running apt-get update and apt-get upgrade will fix the vulnerability.

If you have other questions or concerns please feel free to contact support@perforce.com.