vulnerability in OpenSSL

Hello,
it has been reported recently that there is a serious vulnerability in OpenSSL 1.0.1. It is recommended to adopt the fix (OpenSSL 1.0.1g) ASAP.
https://openssl-library.org/news/secadv/20140407.txt
https://heartbleed.com/

This bug is tracked here:
https://winscp.net/tracker/1151

We are working on a fix.

Note that OpenSSL is used with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!

When will 5.5.3 be released with the OpenSSL bug fix? We're using 5.5.2 and from my reading the underlying OpenSSL core is 1.0.1f? Can somebody confirm this?

Thanks
SS

SikhSuperman wrote:

When will 5.5.3 be released with the OpenSSL bug fix?

In few days.

We're using 5.5.2 and from my reading the underlying OpenSSL core is 1.0.1f? Can somebody confirm this?

That's correct.

Thanks Martin -

We're using the SSH feature over sFTP of WinSCP so we should be safe on the 'Heartbleed' bug.
Ref: https://winscp.net/forum/viewtopic.php?t=13736

Thanks again for confirming!
SS

SikhSuperman wrote:

We're using the SSH feature over sFTP of WinSCP so we should be safe on the 'Heartbleed' bug.
Ref: https://winscp.net/forum/viewtopic.php?t=13736

Correct. OpenSSL is used with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!