Also, If any of our mysql code base is using encryption\decryption\hash functionalities, which mysql libraries are linked and in turn relies on openssl\libssl, then we may wanted to mention a note to update to fixed version of openssl and recreate new cert keys, and restart mysql to use the new ones. In such cases, does not devel packages also needs to be updated say openssl-devel?
Santhosh ________________________________________ From: John Kinsella [j...@stratosec.co] Sent: Wednesday, April 09, 2014 2:06 PM To: dev@cloudstack.apache.org Subject: Re: OpenSSL vunerability (bleedheart) I want to address a few things here directly (I think these are covered in the blog post, if not ping me) * Current SSVM from 4.3 is not good enough. * Yes, each SystemVM runs software that needs OpenSSL. For the curious, see "lsof|grep -i ssl” * I’m not sure if the current SystemVM template on Jenkins is secure, we’re testing that currently and will update once confirmed. * Assume if you see us releasing a blog post about a security issue, there’s a security issue (QED HTH HAND) * Realhostip uses SSL, but not on the SystemVMs. If you’re using realhostIP, it doesn’t matter what version of OSSL you use, you’re still insecure. Horse: beaten. * Chiradeep’s correct, 4.1 and older are not vulnerable. Post updated again. I think that covers the questions…running around doing a few things but this is very high on our priority list. (snarky comments are meant to be funny not insulting/condescending) On Apr 9, 2014, at 10:19 AM, John Kinsella <j...@stratosec.co<mailto:j...@stratosec.co>> wrote: To my knowledge, no code change is necessary just a rebuild. - j Please excuse typos - sent from mobile device. ----- Reply message ----- From: "Rayees Namathponnan" <rayees.namathpon...@citrix.com<mailto:rayees.namathpon...@citrix.com>> To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Subject: OpenSSL vunerability (bleedheart) Date: Wed, Apr 9, 2014 10:13 AM Even if we get latest systemvm template from http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has openssl 1.0.1e-2+deb7u4 ? Is there any code change required to create system template with openssl 1.0.1e-2+deb7u6 ? Regards, Rayees -----Original Message----- From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com] Sent: Wednesday, April 09, 2014 5:15 AM To: <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Subject: Re: OpenSSL vunerability (bleedheart) Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6. It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network. -Harikrishna On 09-Apr-2014, at 5:00 pm, Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro>> wrote: On 09.04.2014 12:04, Abhinandan Prateek wrote: Latest jenkins build template have openSSL version 1.0.1e, the version that is compromised. Guys, do not panic. It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff. After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog: "aptitude changelog openssl" says: openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * Enable checking for services that may need to be restarted * Update list of services to possibly restart -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> Tue, 08 Apr 2014 10:44:53 +0200 openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * Add CVE-2014-0160.patch patch. CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> Mon, 07 Apr 2014 22:26:55 +0200 In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro<http://www.nux.ro> Stratosec<http://stratosec.co/> - Compliance as a Service o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella>
