cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <shadow...@gmail.com>
Subject Re: OpenSSL vunerability (bleedheart)
Date Wed, 09 Apr 2014 17:52:10 GMT
It might be good to add the particulars of what in the system VMs have
problems, so people know what urgency there is. For example, if the
only system vm that has an SSL service running on it is console proxy,
then an immediate mitigation is to focus on updating that (or shut it
down).  It doesn't do much good to have people go to the trouble of
updating all of their routers if the routers aren't running any
affected services. Certainly the instructions are helpful to be safe,
but if we can give people the info about the exposure then they can
decide.

On Wed, Apr 9, 2014 at 11:34 AM, John Kinsella <jlk@stratosec.co> wrote:
> Folks - unfortunately there’s an error in my blog post last night. On Debian, you need
to update both openssl and libssl, updating openssl by itself is not good enough. I knew this,
had it in a draft but somehow that didn’t make it into the post. I’ll blame lack of sleep.
>
> Blog post has been updated, and I’ve also added instructions for VMWare shops, thanks
to Geoff Higginbottom.
>
> I can guarantee that current ACS is vulnerable, and I can attest that with our config
(KVM) the notes in the blog post [1] will mitigate the vulnerability.
>
> 1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed
>
> On Apr 9, 2014, at 5:30 AM, Nux! <nux@li.nux.ro<mailto:nux@li.nux.ro>> wrote:
>
> On 09.04.2014 12:04, Abhinandan Prateek wrote:
> Latest jenkins build template have openSSL version 1.0.1e, the version
> that is compromised.
>
> Guys, do not panic.
> It is my understanding that in Debian, just like in RHEL, major versions will not change,
i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.
>
> After I did an "apt-get update && apt-get install openssl" I got package version
1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:
>
> "aptitude changelog openssl" says:
>
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Enable checking for services that may need to be restarted
>  * Update list of services to possibly restart
>
> -- Salvatore Bonaccorso <carnil@debian.org<mailto:carnil@debian.org>>  Tue,
08 Apr 2014 10:44:53 +0200
>
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Add CVE-2014-0160.patch patch.
>    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>    A missing bounds check in the handling of the TLS heartbeat extension
>    can be used to reveal up to 64k of memory to a connected client or
>    server.
>
> -- Salvatore Bonaccorso <carnil@debian.org<mailto:carnil@debian.org>>  Mon,
07 Apr 2014 22:26:55 +0200
>
> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK.
Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro<http://www.nux.ro>
>
> Stratosec<http://stratosec.co/> - Compliance as a Service
> o: 415.315.9385
> @johnlkinsella<http://twitter.com/johnlkinsella>
>

Mime
View raw message