cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: OpenSSL vunerability (bleedheart)
Date Wed, 09 Apr 2014 05:55:44 GMT
Just put up a blog post with mitigation instructions [1]. If anybody has any issues with this,
please let us know and we’ll help/update as appropriate.

We’re working on new SystemVM images, but that’s going to take us a few days.

John
1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed

On Apr 8, 2014, at 6:21 PM, John Kinsella <jlk@stratosec.co> wrote:

> Folks - we’re aware of the OpenSSL issue, and are working with vendors to release mitigation
instructions for ACS.
> 
> Hoping to have something out later this evening.
> 
> John
> 
> On Apr 8, 2014, at 8:12 AM, Paul Angus <paul.angus@shapeblue.com<mailto:paul.angus@shapeblue.com>>
wrote:
> 
> A vulnerability has been found in OpenSSL
> 
> http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1
> 
> Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such releases as
> Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD
5.0.2 and OpenSUSE 12.2.
> 
> It is fixed in OpenSSL 1.0.1g
> 
> From https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9
> 
> "Statement:
> This issue did not affect the versions of openssl as shipped with Red Hat Enterprise
Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue does affect Red Hat Enterprise
Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which
provided openssl 1.0.1e."
> 
> XenServer 6.2 SP1 uses the native CentOS OpenSSL RPM without modification version (OpenSSL
0.9.8e-fips-rhel5 01 Jul 2008) so is unaffected.
> 
> 
> 
> Regards,
> 
> Paul Angus
> Senior Consultant / Cloud Architect
> 
> S: +44 20 3603 0540<tel:+442036030540> | M: +4<tel:+447968161581>47711418784
| T: @CloudyAngus
> paul.angus@shapeblue.com<mailto:paul.angus@shapeblue.com> | www.shapeblue.com<htp://www.shapeblue.com/>
| Twitter:@shapeblue<https://twitter.com/>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
> 
> Need Enterprise Grade Support for Apache CloudStack?
> Our CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
offers the best 24/7 SLA for CloudStack Environments.
> 
> Apache CloudStack Bootcamp training courses
> 
> **NEW!** CloudStack 4.2.1 training<http://shapeblue.com/cloudstack-training/>
> 28th-29th May 2014, Bangalore. Classromm<http://shapeblue.com/cloudstack-training/>
> 16th-20th June 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 23rd-27th June 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 15th-20th September 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 22nd-27th September 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 1st-6th December 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 8th-12th December 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 
> This email and any attachments to it may be confidential and are intended solely for
the use of the individual to whom it is addressed. Any views or opinions expressed are solely
those of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
> 


Mime
View raw message