Should just pull in the latest and work, if we're talking about building a fresh system vm.
Do we even have any services running in the system vm that require an update? We don't do SSL termination with haproxy for load balancers (yet), and I don't think that the apache web stuff for userdata/passwords is ssl, is it? From what I've seen, SSH doesn't even use the OpenSSL libs... I'm trying to think of a service that would be affected. We definitely want to push the latest, but I'm just wondering what actual urgency there should be for users to update their system vms. On Wed, Apr 9, 2014 at 10:12 AM, Rayees Namathponnan <rayees.namathpon...@citrix.com> wrote: > Even if we get latest systemvm template from > http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it > has openssl 1.0.1e-2+deb7u4 ? > > Is there any code change required to create system template with openssl > 1.0.1e-2+deb7u6 ? > > Regards, > Rayees > > -----Original Message----- > From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com] > Sent: Wednesday, April 09, 2014 5:15 AM > To: <dev@cloudstack.apache.org> > Subject: Re: OpenSSL vunerability (bleedheart) > > Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to > get 1.0.1e-2+deb7u6. > > It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test > OpenSSL HeartBleed Vulnerability. Right now I could not do it from our > network. > > -Harikrishna > > On 09-Apr-2014, at 5:00 pm, Nux! <n...@li.nux.ro> wrote: > >> On 09.04.2014 12:04, Abhinandan Prateek wrote: >>> Latest jenkins build template have openSSL version 1.0.1e, the >>> version that is compromised. >> >> Guys, do not panic. >> It is my understanding that in Debian, just like in RHEL, major versions >> will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but >> they will backport stuff. >> >> After I did an "apt-get update && apt-get install openssl" I got package >> version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok >> according to the changelog: >> >> "aptitude changelog openssl" says: >> >> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high >> >> * Non-maintainer upload by the Security Team. >> * Enable checking for services that may need to be restarted >> * Update list of services to possibly restart >> >> -- Salvatore Bonaccorso <car...@debian.org> Tue, 08 Apr 2014 10:44:53 >> +0200 >> >> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high >> >> * Non-maintainer upload by the Security Team. >> * Add CVE-2014-0160.patch patch. >> CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. >> A missing bounds check in the handling of the TLS heartbeat extension >> can be used to reveal up to 64k of memory to a connected client or >> server. >> >> -- Salvatore Bonaccorso <car...@debian.org> Mon, 07 Apr 2014 22:26:55 >> +0200 >> >> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then >> they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? >> >> Lucian >> >> -- >> Sent from the Delta quadrant using Borg technology! >> >> Nux! >> www.nux.ro >
