cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: OpenSSL vunerability (bleedheart)
Date Wed, 09 Apr 2014 16:19:58 GMT
To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

----- Reply message -----
From: "Rayees Namathponnan" <rayees.namathponnan@citrix.com>
To: "dev@cloudstack.apache.org" <dev@cloudstack.apache.org>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/
. , it has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl  1.0.1e-2+deb7u6
 ?

Regards,
Rayees

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: <dev@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed
Vulnerability. Right now I could not do it from our network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <nux@li.nux.ro> wrote:

> On 09.04.2014 12:04, Abhinandan Prateek wrote:
>> Latest jenkins build template have openSSL version 1.0.1e, the
>> version that is compromised.
>
> Guys, do not panic.
> It is my understanding that in Debian, just like in RHEL, major versions will not change,
i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.
>
> After I did an "apt-get update && apt-get install openssl" I got package version
1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:
>
> "aptitude changelog openssl" says:
>
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Enable checking for services that may need to be restarted
>  * Update list of services to possibly restart
>
> -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 08 Apr 2014 10:44:53
> +0200
>
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Add CVE-2014-0160.patch patch.
>    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>    A missing bounds check in the handling of the TLS heartbeat extension
>    can be used to reveal up to 64k of memory to a connected client or
>    server.
>
> -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 07 Apr 2014 22:26:55
> +0200
>
> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK.
Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message