Description of problem: Start Qupzilla in Mageia 4 Go to https://freakattack.com/ to check against freak. It says its vulnerable. In Mageia 5 (Beta 3) its not affected. Reference: https://github.com/QupZilla/qupzilla/issues/1621 Reproducible: Steps to Reproduce:
Summary: Qupzilla is vulnerable in Mageia 4 => Qupzilla is vulnerable in Mageia 4 for Freak
The test seems unlikely to be accurate. I don't know whether it's really testing the vulnerability or testing versions of things or what. The upstream bug report you linked reported varying results with QupZilla 1.8.6, which at the least suggests that QupZilla doesn't have its own SSL implementation. You wouldn't think it would, and a quick look at the source code suggests that it doesn't. So, it would have to be using one from a library it's linked to. I see that QupZilla is linked to libQtNetwork.so.4 (from qt4) which is linked to libssl.so.1 (from OpenSSL), so as I suspect, it's most likely using OpenSSL. We fixed FREAK, also known as CVE-2014-0204, in our last OpenSSL update in Bug 14987. Make sure you have the updated packages installed.
Status: NEW => UNCONFIRMEDEver confirmed: 1 => 0
Fixed with the today released update : openssl-1.0.1m-1.mga4
Status: UNCONFIRMED => RESOLVEDResolution: (none) => FIXED