cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harikrishna Patnala <harikrishna.patn...@citrix.com>
Subject Re: OpenSSL vunerability (bleedheart)
Date Wed, 09 Apr 2014 11:20:51 GMT
Hi,

I have tried upgrading openssl on our system vms(deployed using latest template), the version
is still OpenSSL 1.0.1e 

Seems like apt does not have the binary of latest OpenSSL, may be we need to compile the library
from latest OpenSSL source(OpenSSL 1.0.1g) and use that build in our systemvm template.


root@v-2-VM:~# apt-get update
...

root@v-2-VM:~# apt-get install openssl
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  openssl
1 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Need to get 700 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://security.debian.org/ wheezy/updates/main openssl amd64 1.0.1e-2+deb7u6 [700 kB]
Fetched 700 kB in 0s (1,559 kB/s)
(Reading database ... 26260 files and directories currently installed.)
Preparing to replace openssl 1.0.1e-2+deb7u4 (using .../openssl_1.0.1e-2+deb7u6_amd64.deb)
...
Unpacking replacement openssl ...
Processing triggers for man-db ...
Setting up openssl (1.0.1e-2+deb7u6) ...

root@v-2-VM:~# openssl version
OpenSSL 1.0.1e 11 Feb 2013


-Harikrishna


On 09-Apr-2014, at 4:34 pm, Abhinandan Prateek <Abhinandan.Prateek@citrix.com> wrote:

> Latest jenkins build template have openSSL version 1.0.1e, the version
> that is compromised.
> 
> On 09/04/14 2:30 pm, "Nux!" <nux@li.nux.ro> wrote:
> 
>> On 09.04.2014 06:55, John Kinsella wrote:
>>> Just put up a blog post with mitigation instructions [1]. If anybody
>>> has any issues with this, please let us know and we¹ll help/update as
>>> appropriate.
>>> 
>>> We¹re working on new SystemVM images, but that¹s going to take us a
>>> few days.
>> 
>> For those who run 4.3 aren't these good enough?
>> http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/
>> 
>> Also, what is the procedure of replacing the System VMs and templates
>> where there's no actual "upgrade" involved?
>> 
>> Lucian
>> 
>> -- 
>> Sent from the Delta quadrant using Borg technology!
>> 
>> Nux!
>> www.nux.ro
> 


Mime
View raw message