Mumble and Heartbleed

Posted on April 10, 2014 by mkrautz

Most of the Mumble project’s communication this week regarding the Heartbleed vulnerability has happened via IRC. This blog post attempts to fix that by providing answers to the most frequently asked questions here on our blog.

If you’re reading this blog post, you’re probably wondering whether your Mumble client or Murmur server is vulnerable to the Heartbleed (CVE-2014-0160) vulnerability in OpenSSL.

The answer is: “It depends.”

The binary Mumble and Murmur packages that are available to download from SourceForge and mumble.info are not affected. These packages use OpenSSL 1.0.0, and as such are not vulnerable to Heartbleed. (This is also why you have not seen any new releases from us to fix this issue.)

So, if you’re using a Mumble client/server on Windows or Mac OS X that you downloaded from SourceForge or mumble.info, you’re not vulnerable. If you’re running the ‘static’ Linux server, you are not vulnerable either. If you’re running the iOS client, you’re also good.

However, if you are running Mumble client or a Murmur server that you didn’t download from SourceForge or mumble.info, you are most likely vulnerable. This includes Mumble and Murmur packages from Linux and other Unix-like systems’s package managers, and importantly also the Ubuntu PPA archives that we link to from the front page of mumble.info.

If you’re on a Unix-like system, you should ensure that your OpenSSL package is up-to-date and that it includes a fix for Heartbleed. Once that is the case, you are no longer vulnerable. (Make sure you restart your server instances after updating OpenSSL for the update to have any effect.)

Once you have patched OpenSSL on any vulnerable systems, you should also strongly consider to revoke and reissue any certificates, private keys and passwords that have been used by either Mumble or Murmur on the vulnerable machine, as these might have been readable by attackers.

The Mumble Team