Earlier today the DHS ICS-CERT published an update (#4) for the Siemens OpenSSL advisory that was last updated in August. It ignored updates for a RuggedCom certificate verification vulnerability (ICSA-14-135-03) originally published in May and an update for the Siemens GNU Bash vulnerability that ICS-CERT still has not reported. Batting 1 for 3 in baseball is pretty good; in security it SUCKS. All three updates were published yesterday on the Siemens ProductCert web page.
Open SSL Update
This update reports that Siemens now has updates available for all of the affected product lines. Steady progress made since the vulnerability was reported earlier this year with regular updates to public notifications by Siemens.
Certificate Verification Update
ICS-CERT may not care, but Siemens is reporting that it has firmware updates available for ROX 2 devices and continues to work on updates for ROX 1 devices.
GNU Bash Update
Siemens is reporting that the same ROX 2 firmware upgrade that fixed the certificate verification vulnerability also addresses their GNU Bash issue. Two vulnerabilities with a single upgrade, good move. ICS-CERT apparently still does not know that Siemens is affected by GNU Bash so the update passes unnoticed.