Courtesy Chiradeep
- CPVM uses JSSE so that should not be affected - VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any transport - The only vulnerable service is the volume upload service and template copy. The latter is between 2 trusted IPs - Also this should only affect SSVM template from 4.2 onwards as only wheezy is affected Thanks Animesh > -----Original Message----- > From: John Kinsella [mailto:[email protected]] > Sent: Wednesday, April 09, 2014 11:07 AM > To: [email protected] > Subject: Re: OpenSSL vunerability (bleedheart) > > I want to address a few things here directly (I think these are covered in the > blog post, if not ping me) > > * Current SSVM from 4.3 is not good enough. > * Yes, each SystemVM runs software that needs OpenSSL. For the curious, > see "lsof|grep -i ssl" > * I'm not sure if the current SystemVM template on Jenkins is secure, we're > testing that currently and will update once confirmed. > * Assume if you see us releasing a blog post about a security issue, there's a > security issue (QED HTH HAND) > * Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP, > it doesn't matter what version of OSSL you use, you're still insecure. Horse: > beaten. > * Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again. > > I think that covers the questions...running around doing a few things but this > is very high on our priority list. > > (snarky comments are meant to be funny not insulting/condescending) > > On Apr 9, 2014, at 10:19 AM, John Kinsella > <[email protected]<mailto:[email protected]>> wrote: > > To my knowledge, no code change is necessary just a rebuild. - j > > Please excuse typos - sent from mobile device. > > ----- Reply message ----- > From: "Rayees Namathponnan" > <[email protected]<mailto:[email protected] > m>> > To: "[email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>> > Subject: OpenSSL vunerability (bleedheart) > Date: Wed, Apr 9, 2014 10:13 AM > > Even if we get latest systemvm template from > http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it > has openssl 1.0.1e-2+deb7u4 ? > > Is there any code change required to create system template with openssl > 1.0.1e-2+deb7u6 ? > > Regards, > Rayees > > -----Original Message----- > From: Harikrishna Patnala [mailto:[email protected]] > Sent: Wednesday, April 09, 2014 5:15 AM > To: <[email protected]<mailto:[email protected]>> > Subject: Re: OpenSSL vunerability (bleedheart) > > Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update > openssl to get 1.0.1e-2+deb7u6. > > It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test > OpenSSL HeartBleed Vulnerability. Right now I could not do it from our > network. > > -Harikrishna > > On 09-Apr-2014, at 5:00 pm, Nux! <[email protected]<mailto:[email protected]>> > wrote: > > On 09.04.2014 12:04, Abhinandan Prateek wrote: > Latest jenkins build template have openSSL version 1.0.1e, the version that is > compromised. > > Guys, do not panic. > It is my understanding that in Debian, just like in RHEL, major versions will > not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they > will backport stuff. > > After I did an "apt-get update && apt-get install openssl" I got package > version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok > according to the changelog: > > "aptitude changelog openssl" says: > > openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high > > * Non-maintainer upload by the Security Team. > * Enable checking for services that may need to be restarted > * Update list of services to possibly restart > > -- Salvatore Bonaccorso <[email protected]<mailto:[email protected]>> > Tue, 08 Apr 2014 10:44:53 > +0200 > > openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high > > * Non-maintainer upload by the Security Team. > * Add CVE-2014-0160.patch patch. > CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. > A missing bounds check in the handling of the TLS heartbeat extension > can be used to reveal up to 64k of memory to a connected client or > server. > > -- Salvatore Bonaccorso <[email protected]<mailto:[email protected]>> > Mon, 07 Apr 2014 22:26:55 > +0200 > > In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then > they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? > > Lucian > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro<http://www.nux.ro> > > > Stratosec<http://stratosec.co/> - Compliance as a Service > o: 415.315.9385 > @johnlkinsella<http://twitter.com/johnlkinsella>
