SSL version 3 has been revealed as insecure via an attack on POODLE <https://www.us-cert.gov/ncas/alerts/TA14-290A>. The Erlang VM on which Riak relies supports this old version. Description This fix is very narrow in scope. It instructs Erlang's SSL library to forbid SSL version 3 traffic. Versions of Riak prior to 1.2 are also susceptible in the limited scenarios described here, but the patch supplied is not applicable. *Affected Users* Users that do any of the following will be affected:
- expose Riak CS to untrusted networks via HTTPS - expose Riak's optional HTTPS interface to untrusted networks - expose Riak Control to untrusted networks If you do not expose Riak or Riak CS to untrusted networks, we do not recommend applying this patch, as it may lead to upgrade problems in the future. If you are a Riak CS user, please also assess your Riak installation against the criteria above and apply the patch if indicated. *Riak 2.0 Users* If you have installed Riak 2.0.5, you will not need to apply the patch, as that version includes the fix. If you are using Riak 2.0.0 to 2.0.2, please upgrade to 2.0.5. *Riak CS and Riak 1.2-1.4 Users*A patch is available on our Product advisories page. Instructions to install and backout can be found here <http://docs.basho.com/riak/latest/community/product-advisories/ssl-poodle/#Riak-CS-and-Riak-1-2-1-4-Users> . *Moving forward*This patch is included in Riak 2.0.5 and all releases thereafter. Let us know if you have any questions Regards, Seema Jethani Director of Product Management, Basho <http://basho.com/> 4083455739 | @seemaj <http://twitter.com/seemaj>
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
