Just put up a blog post with mitigation instructions [1]. If anybody has any issues with this, please let us know and we’ll help/update as appropriate.
We’re working on new SystemVM images, but that’s going to take us a few days. John 1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed On Apr 8, 2014, at 6:21 PM, John Kinsella <j...@stratosec.co> wrote: > Folks - we’re aware of the OpenSSL issue, and are working with vendors to > release mitigation instructions for ACS. > > Hoping to have something out later this evening. > > John > > On Apr 8, 2014, at 8:12 AM, Paul Angus > <paul.an...@shapeblue.com<mailto:paul.an...@shapeblue.com>> wrote: > > A vulnerability has been found in OpenSSL > > http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1 > > Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such > releases as > Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, > FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2. > > It is fixed in OpenSSL 1.0.1g > > From https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9 > > "Statement: > This issue did not affect the versions of openssl as shipped with Red Hat > Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue > does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization > Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e." > > XenServer 6.2 SP1 uses the native CentOS OpenSSL RPM without modification > version (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) so is unaffected. > > > > Regards, > > Paul Angus > Senior Consultant / Cloud Architect > > S: +44 20 3603 0540<tel:+442036030540> | M: +4<tel:+447968161581>47711418784 > | T: @CloudyAngus > paul.an...@shapeblue.com<mailto:paul.an...@shapeblue.com> | > www.shapeblue.com<htp://www.shapeblue.com/> | > Twitter:@shapeblue<https://twitter.com/> > ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS > > Need Enterprise Grade Support for Apache CloudStack? > Our CloudStack Infrastructure > Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers the > best 24/7 SLA for CloudStack Environments. > > Apache CloudStack Bootcamp training courses > > **NEW!** CloudStack 4.2.1 training<http://shapeblue.com/cloudstack-training/> > 28th-29th May 2014, Bangalore. > Classromm<http://shapeblue.com/cloudstack-training/> > 16th-20th June 2014, Region A. Instructor led, > On-line<http://shapeblue.com/cloudstack-training/> > 23rd-27th June 2014, Region B. Instructor led, > On-line<http://shapeblue.com/cloudstack-training/> > 15th-20th September 2014, Region A. Instructor led, > On-line<http://shapeblue.com/cloudstack-training/> > 22nd-27th September 2014, Region B. Instructor led, > On-line<http://shapeblue.com/cloudstack-training/> > 1st-6th December 2014, Region A. Instructor led, > On-line<http://shapeblue.com/cloudstack-training/> > 8th-12th December 2014, Region B. Instructor led, > On-line<http://shapeblue.com/cloudstack-training/> > > This email and any attachments to it may be confidential and are intended > solely for the use of the individual to whom it is addressed. Any views or > opinions expressed are solely those of the author and do not necessarily > represent those of Shape Blue Ltd or related companies. If you are not the > intended recipient of this email, you must neither take any action based upon > its contents, nor copy or show it to anyone. Please contact the sender if you > believe you have received this email in error. Shape Blue Ltd is a company > incorporated in England & Wales. ShapeBlue Services India LLP is a company > incorporated in India and is operated under license from Shape Blue Ltd. > Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is > operated under license from Shape Blue Ltd. ShapeBlue is a registered > trademark. >
